b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167

General

Target

b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
Size

35KB
MD5

00d5f25a9e8ede3c90090feb4ded4a21
SHA1

e8ce25bb64be11f92509b3e6345747ebe88441fa
SHA256

b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167
SHA512

ad21388198bf985a04a3ec333b18fca597a92f099a5ee4755701c76d0b2db1c3a60cfdc71dfc31c26a4a9ed2068e6d95a54c83d89e15e610c5ef77a036bff825
SSDEEP

768:WYd514Ukgoj5O2yTuMVwOYQtH4czxYDXypY3s3DKHKTYF3ET1/hZR:W2GUJmOXubEtH4czxowY34Kqi3UZ

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1120	VRX95CB.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1184-54-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1184-56-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
648	WerFault.exe
648	WerFault.exe
648	WerFault.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
648	1120	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1120	1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe	28
PID 1184 wrote to memory of 1120	1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe	28
PID 1184 wrote to memory of 1120	1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe	28
PID 1184 wrote to memory of 1120	1184	b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe	28
PID 1120 wrote to memory of 648	1120	VRX95CB.tmp	29
PID 1120 wrote to memory of 648	1120	VRX95CB.tmp	29
PID 1120 wrote to memory of 648	1120	VRX95CB.tmp	29
PID 1120 wrote to memory of 648	1120	VRX95CB.tmp	29

C:\Users\Admin\AppData\Local\Temp\b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe
"C:\Users\Admin\AppData\Local\Temp\b78d03e95e0b45909b1bb53bad70dd29c6fc60061934e0cca18108e5ce943167.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\VRX95CB.tmp
  "C:\Users\Admin\AppData\Local\Temp\VRX95CB.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VRX95CB.tmp

Filesize
3KB

MD5
311e98757845111f6dfb38eee49d671e

SHA1
0c8693e2ce66427d3d39372cda98068175a49d62

SHA256
9f5ddad5c105232eb4f7ae4fde359556e0f56ead115376f7aad44a8b51b04062

SHA512
b3ec2a24dc92604efe3e23e7898a9fca3ed6f6aef98feb5269d5f2563d23179981f9d231da4186c0730339bf2fff68dc4147a093cd003f62a2835dab75d6e48e

Download Submit
\Users\Admin\AppData\Local\Temp\VRX95CB.tmp

Filesize
3KB

MD5
311e98757845111f6dfb38eee49d671e

SHA1
0c8693e2ce66427d3d39372cda98068175a49d62

SHA256
9f5ddad5c105232eb4f7ae4fde359556e0f56ead115376f7aad44a8b51b04062

SHA512
b3ec2a24dc92604efe3e23e7898a9fca3ed6f6aef98feb5269d5f2563d23179981f9d231da4186c0730339bf2fff68dc4147a093cd003f62a2835dab75d6e48e

Download Submit
\Users\Admin\AppData\Local\Temp\VRX95CB.tmp

Filesize
3KB

MD5
311e98757845111f6dfb38eee49d671e

SHA1
0c8693e2ce66427d3d39372cda98068175a49d62

SHA256
9f5ddad5c105232eb4f7ae4fde359556e0f56ead115376f7aad44a8b51b04062

SHA512
b3ec2a24dc92604efe3e23e7898a9fca3ed6f6aef98feb5269d5f2563d23179981f9d231da4186c0730339bf2fff68dc4147a093cd003f62a2835dab75d6e48e

Download Submit
\Users\Admin\AppData\Local\Temp\VRX95CB.tmp

Filesize
3KB

MD5
311e98757845111f6dfb38eee49d671e

SHA1
0c8693e2ce66427d3d39372cda98068175a49d62

SHA256
9f5ddad5c105232eb4f7ae4fde359556e0f56ead115376f7aad44a8b51b04062

SHA512
b3ec2a24dc92604efe3e23e7898a9fca3ed6f6aef98feb5269d5f2563d23179981f9d231da4186c0730339bf2fff68dc4147a093cd003f62a2835dab75d6e48e

Download Submit
\Users\Admin\AppData\Local\Temp\VRX95CB.tmp

Filesize
3KB

MD5
311e98757845111f6dfb38eee49d671e

SHA1
0c8693e2ce66427d3d39372cda98068175a49d62

SHA256
9f5ddad5c105232eb4f7ae4fde359556e0f56ead115376f7aad44a8b51b04062

SHA512
b3ec2a24dc92604efe3e23e7898a9fca3ed6f6aef98feb5269d5f2563d23179981f9d231da4186c0730339bf2fff68dc4147a093cd003f62a2835dab75d6e48e

Download Submit
\Users\Admin\AppData\Local\Temp\VRX95CB.tmp

Filesize
3KB

MD5
311e98757845111f6dfb38eee49d671e

SHA1
0c8693e2ce66427d3d39372cda98068175a49d62

SHA256
9f5ddad5c105232eb4f7ae4fde359556e0f56ead115376f7aad44a8b51b04062

SHA512
b3ec2a24dc92604efe3e23e7898a9fca3ed6f6aef98feb5269d5f2563d23179981f9d231da4186c0730339bf2fff68dc4147a093cd003f62a2835dab75d6e48e

Download Submit
memory/1184-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1184-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing