ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2

General

Target

ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
Size

587KB
MD5

7b63fb3722db8f4b5ee5fb035eea1c01
SHA1

7384c676108261331d64fef65e62d4facdaf7b89
SHA256

ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2
SHA512

8b1c7696d120c86e62dc0c1fe94e23eb644dbd406673e3b9a1e4bb8b3af4d504b48169c7ec1aecc3f981c2fce6f912f1ec0a6b38dcbc17e293080e0dbf2f2bb8
SSDEEP

12288:pzUqSnNJ8o1Ww5VJfk7MQqzjjwpZ7+owMVUDymiY8:pzUqkNfM0cGTwpZakO9iY8

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe

Executes dropped EXE 2 IoCs

pid	Process
988	TXP1atform.exe
2044	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1184-54-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1184-56-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/files/0x000a0000000122ce-58.dat	upx
behavioral1/files/0x000a0000000122ce-59.dat	upx
behavioral1/files/0x000a0000000122ce-61.dat	upx
behavioral1/files/0x000a0000000122ce-63.dat	upx
behavioral1/memory/988-67-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1184-69-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/988-68-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
1776	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
988	TXP1atform.exe
988	TXP1atform.exe
988	TXP1atform.exe
988	TXP1atform.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1776	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	26
PID 1184 wrote to memory of 1776	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	26
PID 1184 wrote to memory of 1776	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	26
PID 1184 wrote to memory of 1776	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	26
PID 1184 wrote to memory of 988	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	28
PID 1184 wrote to memory of 988	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	28
PID 1184 wrote to memory of 988	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	28
PID 1184 wrote to memory of 988	1184	ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe	28
PID 1776 wrote to memory of 2044	1776	cmd.exe	29
PID 1776 wrote to memory of 2044	1776	cmd.exe	29
PID 1776 wrote to memory of 2044	1776	cmd.exe	29
PID 1776 wrote to memory of 2044	1776	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
"C:\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\72$$.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe
    "C:\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe"
    3⤵
    - Executes dropped EXE
    PID:2044
- C:\Windows\SysWOW64\drivers\TXP1atform.exe
  C:\Windows\system32\drivers\TXP1atform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72$$.bat

Filesize
677B

MD5
a100d047ee96ee3e9ecc369888c2aa72

SHA1
235e960bfd0f4bb2245225ff357e15eaf9d9e2b4

SHA256
772a07652d1efbdedcb83ed537ee29195ceb11bef7705f51f7818b882ddd49fc

SHA512
6cc0f800732e3c28e2060ec4ce78996570baf865d42e98909dab1f7580913de64b1b1543d164435e5e86ccef2c99e57a1e2ad26f3f50b7d7aeddcf9baf43bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe

Filesize
509KB

MD5
78753976ae21ce816b65f59dc4e3c85b

SHA1
5eff953f0324b74998d833c069e46454079d88a7

SHA256
e1e08d6aab807864b6f42cac7eefd12f371b1c9fca622cd713538ba7b2fb507d

SHA512
8b54a121f483a552376afe884c3fc8c8a21bd238a75d4ec9e6ef0ef2064f4d4dd1db4660395c9d6331c22fda845cf8612bd19805a0f6e082395c2877837da038

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe.exe

Filesize
509KB

MD5
78753976ae21ce816b65f59dc4e3c85b

SHA1
5eff953f0324b74998d833c069e46454079d88a7

SHA256
e1e08d6aab807864b6f42cac7eefd12f371b1c9fca622cd713538ba7b2fb507d

SHA512
8b54a121f483a552376afe884c3fc8c8a21bd238a75d4ec9e6ef0ef2064f4d4dd1db4660395c9d6331c22fda845cf8612bd19805a0f6e082395c2877837da038

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
016f02877c61d419cf2c460777a3971a

SHA1
3663456a82bc2ada79f94cf1711629a823cae21a

SHA256
5178c89e7ac01c089c6e93833e95b30c77fc7c002b0113b680942acff78c0d3e

SHA512
8acca4879328011c22cb8da0bce48d688e0d6977bb3636b046fc0afa7b19c442b0615430124ad324bbc01d64835774b0ff0c67edad2fb5528f226dd9fc41cea0

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
016f02877c61d419cf2c460777a3971a

SHA1
3663456a82bc2ada79f94cf1711629a823cae21a

SHA256
5178c89e7ac01c089c6e93833e95b30c77fc7c002b0113b680942acff78c0d3e

SHA512
8acca4879328011c22cb8da0bce48d688e0d6977bb3636b046fc0afa7b19c442b0615430124ad324bbc01d64835774b0ff0c67edad2fb5528f226dd9fc41cea0

Download Submit
\Users\Admin\AppData\Local\Temp\ef9c9e9d773a0fa025e306a1f62ee3e4ff215460720c5aacc9e1dd2606fa54f2.exe

Filesize
509KB

MD5
78753976ae21ce816b65f59dc4e3c85b

SHA1
5eff953f0324b74998d833c069e46454079d88a7

SHA256
e1e08d6aab807864b6f42cac7eefd12f371b1c9fca622cd713538ba7b2fb507d

SHA512
8b54a121f483a552376afe884c3fc8c8a21bd238a75d4ec9e6ef0ef2064f4d4dd1db4660395c9d6331c22fda845cf8612bd19805a0f6e082395c2877837da038

Download Submit
\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
016f02877c61d419cf2c460777a3971a

SHA1
3663456a82bc2ada79f94cf1711629a823cae21a

SHA256
5178c89e7ac01c089c6e93833e95b30c77fc7c002b0113b680942acff78c0d3e

SHA512
8acca4879328011c22cb8da0bce48d688e0d6977bb3636b046fc0afa7b19c442b0615430124ad324bbc01d64835774b0ff0c67edad2fb5528f226dd9fc41cea0

Download Submit
\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
016f02877c61d419cf2c460777a3971a

SHA1
3663456a82bc2ada79f94cf1711629a823cae21a

SHA256
5178c89e7ac01c089c6e93833e95b30c77fc7c002b0113b680942acff78c0d3e

SHA512
8acca4879328011c22cb8da0bce48d688e0d6977bb3636b046fc0afa7b19c442b0615430124ad324bbc01d64835774b0ff0c67edad2fb5528f226dd9fc41cea0

Download Submit
memory/988-67-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/988-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1184-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1184-65-0x00000000002A0000-0x00000000002ED000-memory.dmp

Filesize
308KB

Download
memory/1184-66-0x00000000002A0000-0x00000000002ED000-memory.dmp

Filesize
308KB

Download
memory/1184-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1184-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1184-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing