c9a97c68e687b33b94291bcd28c0e23c636fff3e7b1d8210ab4318621338af5b

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SLIDES~1.exe
Size

95KB
MD5

3e07fd03fedbb0ee2ce9a259f32bde09
SHA1

1f23a321cc285c4758e887be69f050fcbde459b8
SHA256

1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6
SHA512

b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6
SSDEEP

1536:fPVcNBUum97yZcjM6rr6pY5CD8o48D5oC3NAVnCMcb6D6YdVD4qpViMASeL11KC0:lcLlqacjb6pqoloC3NAVn1KVYdSMVilb

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
5068	Lexplorer.exe
1284	Lexplorer.exe
548	Lexplorer.exe
4008	Lexplorer.exe
224	Lexplorer.exe
4292	Lexplorer.exe
1552	Lexplorer.exe
3724	Lexplorer.exe
820	Lexplorer.exe
1508	Lexplorer.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4512-132-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-134.dat	upx
behavioral2/files/0x0008000000022e2a-135.dat	upx
behavioral2/memory/4512-136-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/5068-137-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-139.dat	upx
behavioral2/memory/1284-140-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-142.dat	upx
behavioral2/memory/548-143-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-145.dat	upx
behavioral2/memory/4008-146-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-148.dat	upx
behavioral2/memory/224-149-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-151.dat	upx
behavioral2/memory/4292-152-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-154.dat	upx
behavioral2/memory/1552-155-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-157.dat	upx
behavioral2/memory/3724-158-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-160.dat	upx
behavioral2/memory/820-161-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x0008000000022e2a-163.dat	upx

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lexplorer.exe	SLIDES~1.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	SLIDES~1.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 5068	4512	SLIDES~1.exe	82
PID 4512 wrote to memory of 5068	4512	SLIDES~1.exe	82
PID 4512 wrote to memory of 5068	4512	SLIDES~1.exe	82
PID 5068 wrote to memory of 1284	5068	Lexplorer.exe	83
PID 5068 wrote to memory of 1284	5068	Lexplorer.exe	83
PID 5068 wrote to memory of 1284	5068	Lexplorer.exe	83
PID 1284 wrote to memory of 548	1284	Lexplorer.exe	85
PID 1284 wrote to memory of 548	1284	Lexplorer.exe	85
PID 1284 wrote to memory of 548	1284	Lexplorer.exe	85
PID 548 wrote to memory of 4008	548	Lexplorer.exe	86
PID 548 wrote to memory of 4008	548	Lexplorer.exe	86
PID 548 wrote to memory of 4008	548	Lexplorer.exe	86
PID 4008 wrote to memory of 224	4008	Lexplorer.exe	87
PID 4008 wrote to memory of 224	4008	Lexplorer.exe	87
PID 4008 wrote to memory of 224	4008	Lexplorer.exe	87
PID 224 wrote to memory of 4292	224	Lexplorer.exe	88
PID 224 wrote to memory of 4292	224	Lexplorer.exe	88
PID 224 wrote to memory of 4292	224	Lexplorer.exe	88
PID 4292 wrote to memory of 1552	4292	Lexplorer.exe	89
PID 4292 wrote to memory of 1552	4292	Lexplorer.exe	89
PID 4292 wrote to memory of 1552	4292	Lexplorer.exe	89
PID 1552 wrote to memory of 3724	1552	Lexplorer.exe	90
PID 1552 wrote to memory of 3724	1552	Lexplorer.exe	90
PID 1552 wrote to memory of 3724	1552	Lexplorer.exe	90
PID 3724 wrote to memory of 820	3724	Lexplorer.exe	96
PID 3724 wrote to memory of 820	3724	Lexplorer.exe	96
PID 3724 wrote to memory of 820	3724	Lexplorer.exe	96
PID 820 wrote to memory of 1508	820	Lexplorer.exe	99
PID 820 wrote to memory of 1508	820	Lexplorer.exe	99
PID 820 wrote to memory of 1508	820	Lexplorer.exe	99

C:\Users\Admin\AppData\Local\Temp\SLIDES~1.exe
"C:\Users\Admin\AppData\Local\Temp\SLIDES~1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\Lexplorer.exe
  C:\Windows\system32\Lexplorer.exe 1148 "C:\Users\Admin\AppData\Local\Temp\SLIDES~1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\Lexplorer.exe
    C:\Windows\system32\Lexplorer.exe 1152 "C:\Windows\SysWOW64\Lexplorer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\Lexplorer.exe
      C:\Windows\system32\Lexplorer.exe 1128 "C:\Windows\SysWOW64\Lexplorer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1116 "C:\Windows\SysWOW64\Lexplorer.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1124 "C:\Windows\SysWOW64\Lexplorer.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1136 "C:\Windows\SysWOW64\Lexplorer.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1132 "C:\Windows\SysWOW64\Lexplorer.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1156 "C:\Windows\SysWOW64\Lexplorer.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1100 "C:\Windows\SysWOW64\Lexplorer.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1144 "C:\Windows\SysWOW64\Lexplorer.exe"
        11⤵
        Executes dropped EXE
        
        PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
memory/224-149-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/548-143-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/820-161-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1284-140-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1552-155-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3724-158-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4008-146-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4292-152-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4512-132-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4512-136-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5068-137-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download