e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e

General

Target

e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe
Size

192KB
MD5

75973617b1f2d899b5c2323b698352a2
SHA1

5d09157e6d5ba609a40e97eef16b978addadc30f
SHA256

e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e
SHA512

30b570943dc7b7f1e003ac6d88fd7dd501366741ca7fe65105554cacf2bf60cf6549cef019b90ab35f917b530114c247ef175159ccfb48b22f44b80dc14b23e1
SSDEEP

3072:F1nEfWKd2Ss2thzsVtEs4n430hzvV1zb3QzzEeBJWL1HzPbykZKiwU/Wnt:wfVUv2th4sP4ETV1zbAf5bS1HbGkZ0Uu

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3484-132-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/3484-141-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/files/0x00060000000231a2-145.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3484 set thread context of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1656	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3484 wrote to memory of 3848	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	83
PID 3848 wrote to memory of 1664	3848	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	84
PID 3848 wrote to memory of 1664	3848	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	84
PID 3848 wrote to memory of 1664	3848	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	84
PID 3484 wrote to memory of 700	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	86
PID 3484 wrote to memory of 700	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	86
PID 3484 wrote to memory of 700	3484	e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe	86
PID 1664 wrote to memory of 1656	1664	cmd.exe	88
PID 1664 wrote to memory of 1656	1664	cmd.exe	88
PID 1664 wrote to memory of 1656	1664	cmd.exe	88
PID 1664 wrote to memory of 644	1664	cmd.exe	89
PID 1664 wrote to memory of 644	1664	cmd.exe	89
PID 1664 wrote to memory of 644	1664	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe
"C:\Users\Admin\AppData\Local\Temp\e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe
  "C:\Users\Admin\AppData\Local\Temp\e7c075e23a0bedfc8d86b5d55c5378862f33f7c6a0d33973986d60550731f02e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:1656
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
143fe63638ffe62b1fc3ef4789f288bd

SHA1
9e211315cde783d3d9f63608aaf58c67e5f4814d

SHA256
1bdec6a12e4e6f6a4fc5b4309980501a425fe4ff38843f3d998418778fc86e9c

SHA512
ac86d8722b98a9167541ad3f687432138ade93346d269bb17790149ac158a1ca2ed78f3ed5ebc4bf96363fd34f407609ea69dd4430ff433f5ae285ea1ad2c57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
192KB

MD5
b1fd481460eca2c86c05ae8e0dac92af

SHA1
4bd39781cc831fdd67ef17a45e0d09b9359d7b5c

SHA256
32bed827712839190f21be708ada970ca0807323930622a87a3bd62b8e994c0f

SHA512
1a493ebddaebbce3de3df0a3e0015ccbb2dd50c20e0e61b16fbab6a514d17c6058baa9797cab008c49285f461c2e28a58a25c94ccaddef311cceeaa2a5795592

Download Submit
memory/3484-132-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3484-141-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3848-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3848-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3848-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3848-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing