c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4

Analysis

max time kernel
168s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe
Size

149KB
MD5

8a85a7e577126d37c89f5798f3e9ab8d
SHA1

657b07d36119640418357e40d495df1642b406b6
SHA256

c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4
SHA512

117de68932a4ac87839389c39f96dd93cbd31ee961b291cd5cc62c9ef98ebafb9d6c1569397bad77096a17685b2e4d657f8078d3022396dc07bc790e2ce10199
SSDEEP

3072:dN0LwH/hUmnWoc3V0HzAhUkPiVpipJec/IMcK4i3JvGoXCnoj912mPrTEOm:dNxPrc3VizWUkzwm4691Fm

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01
1724	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/980-60-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/980-70-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe
980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe
2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01
2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01
1724	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSLIB32.DLL	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe
980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 980 wrote to memory of 2028	980	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe	28
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29
PID 2028 wrote to memory of 1724	2028	c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01	29

C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe
"C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01
  C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01
    C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01 -deleter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

Filesize
118KB

MD5
bef1e6a9b97045ec3f2b9cf34acb6810

SHA1
951681061079a820f02e4c62e4b9885f98da6d0d

SHA256
ba4771a2fb260d697f7dc4ca7603ec927e969287776bf1bafc28aa6693ca13c8

SHA512
b38f4d40627bdda7e56ade48298e378797ca36340861f6defab5eaaed1b41123eb8f6e5deb19411f39ccd202c54f5b311874e4f05775df4ff1768f01f2d5ffa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

Filesize
118KB

MD5
bef1e6a9b97045ec3f2b9cf34acb6810

SHA1
951681061079a820f02e4c62e4b9885f98da6d0d

SHA256
ba4771a2fb260d697f7dc4ca7603ec927e969287776bf1bafc28aa6693ca13c8

SHA512
b38f4d40627bdda7e56ade48298e378797ca36340861f6defab5eaaed1b41123eb8f6e5deb19411f39ccd202c54f5b311874e4f05775df4ff1768f01f2d5ffa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

Filesize
118KB

MD5
bef1e6a9b97045ec3f2b9cf34acb6810

SHA1
951681061079a820f02e4c62e4b9885f98da6d0d

SHA256
ba4771a2fb260d697f7dc4ca7603ec927e969287776bf1bafc28aa6693ca13c8

SHA512
b38f4d40627bdda7e56ade48298e378797ca36340861f6defab5eaaed1b41123eb8f6e5deb19411f39ccd202c54f5b311874e4f05775df4ff1768f01f2d5ffa9

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

Filesize
118KB

MD5
bef1e6a9b97045ec3f2b9cf34acb6810

SHA1
951681061079a820f02e4c62e4b9885f98da6d0d

SHA256
ba4771a2fb260d697f7dc4ca7603ec927e969287776bf1bafc28aa6693ca13c8

SHA512
b38f4d40627bdda7e56ade48298e378797ca36340861f6defab5eaaed1b41123eb8f6e5deb19411f39ccd202c54f5b311874e4f05775df4ff1768f01f2d5ffa9

Download Submit
\Users\Admin\AppData\Local\Temp\c30d44f2c42689008d486e284b9dd829935b03ef6c8549aadd5b5702afad1ba4.~01

Filesize
118KB

MD5
bef1e6a9b97045ec3f2b9cf34acb6810

SHA1
951681061079a820f02e4c62e4b9885f98da6d0d

SHA256
ba4771a2fb260d697f7dc4ca7603ec927e969287776bf1bafc28aa6693ca13c8

SHA512
b38f4d40627bdda7e56ade48298e378797ca36340861f6defab5eaaed1b41123eb8f6e5deb19411f39ccd202c54f5b311874e4f05775df4ff1768f01f2d5ffa9

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
memory/980-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/980-61-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/980-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/980-71-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1724-69-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2028-57-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download