e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345

Analysis

max time kernel
271s
max time network
343s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
Size

857KB
MD5

fea02960bc9f941720163c099e7a852b
SHA1

0bc7cbdcc6714afd71288a501aebf40401a82436
SHA256

e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345
SHA512

f11bb68005dcb89c22e8824ec97692a0f6fb450c4aa410f93ff2478011de9065e179689c35ac40c4174bd008b82e4dbbf652e05c4c76d7a2f4f6707bcac078ec
SSDEEP

24576:KH69UBaacw5mgbyZ97CBN1zAjqrZ0MGCMe+:KHi2DcM5byZ97edaq9lML

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5088	apocalyps32.exe
4592	apocalyps32.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3228-132-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4380-137-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4380-139-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4380-140-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3228-141-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4380-142-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0008000000022e0b-144.dat	upx
behavioral2/files/0x0008000000022e0b-145.dat	upx
behavioral2/memory/4380-148-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/5088-152-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/files/0x0008000000022e0b-155.dat	upx
behavioral2/memory/5088-159-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4592-161-0x0000000040010000-0x000000004004B000-memory.dmp	upx
behavioral2/memory/4592-164-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4592-165-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
5088	apocalyps32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jurajura.dll	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3228 set thread context of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 5088 set thread context of 4592	5088	apocalyps32.exe	84

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
File opened for modification	C:\Windows\apocalyps32.exe	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
File opened for modification	C:\Windows\apocalyps32.exe	apocalyps32.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
5088	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 3228 wrote to memory of 4380	3228	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	82
PID 4380 wrote to memory of 5088	4380	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	83
PID 4380 wrote to memory of 5088	4380	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	83
PID 4380 wrote to memory of 5088	4380	e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe	83
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 5088 wrote to memory of 4592	5088	apocalyps32.exe	84
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85
PID 4592 wrote to memory of 3248	4592	apocalyps32.exe	85

C:\Users\Admin\AppData\Local\Temp\e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
"C:\Users\Admin\AppData\Local\Temp\e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe
  "C:\Users\Admin\AppData\Local\Temp\e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\apocalyps32.exe
    -bs
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\apocalyps32.exe
      "C:\Windows\apocalyps32.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2971393436-602173351-1645505021-1000\88603cb2913a7df3fbd16b5f958e6447_957af1f1-6875-4c40-9804-a0dcc430f453

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Windows\SysWOW64\jurajura.dll

Filesize
1.3MB

MD5
7103b491fd8fffd7c490a1f50822c15e

SHA1
71aad40d7bfea00f67460b44cb53e8886ff17a8e

SHA256
6491e3617a0c7b08f59c01a6df16a4685399ccf53668a3b60701fd82c8c368c6

SHA512
e6ae3be675fe569cc6263726cb794f8a80228b9f5ca2dd01ee5cc48c6b7774819670e913f14f34032e760e148f9fb8faf865b59a347eacb7eaab3bedc823429c

Download Submit
C:\Windows\SysWOW64\jurajura.dll

Filesize
1.3MB

MD5
7103b491fd8fffd7c490a1f50822c15e

SHA1
71aad40d7bfea00f67460b44cb53e8886ff17a8e

SHA256
6491e3617a0c7b08f59c01a6df16a4685399ccf53668a3b60701fd82c8c368c6

SHA512
e6ae3be675fe569cc6263726cb794f8a80228b9f5ca2dd01ee5cc48c6b7774819670e913f14f34032e760e148f9fb8faf865b59a347eacb7eaab3bedc823429c

Download Submit
C:\Windows\SysWOW64\jurajura.dll

Filesize
1.3MB

MD5
7103b491fd8fffd7c490a1f50822c15e

SHA1
71aad40d7bfea00f67460b44cb53e8886ff17a8e

SHA256
6491e3617a0c7b08f59c01a6df16a4685399ccf53668a3b60701fd82c8c368c6

SHA512
e6ae3be675fe569cc6263726cb794f8a80228b9f5ca2dd01ee5cc48c6b7774819670e913f14f34032e760e148f9fb8faf865b59a347eacb7eaab3bedc823429c

Download Submit
C:\Windows\apocalyps32.exe

Filesize
857KB

MD5
fea02960bc9f941720163c099e7a852b

SHA1
0bc7cbdcc6714afd71288a501aebf40401a82436

SHA256
e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345

SHA512
f11bb68005dcb89c22e8824ec97692a0f6fb450c4aa410f93ff2478011de9065e179689c35ac40c4174bd008b82e4dbbf652e05c4c76d7a2f4f6707bcac078ec

Download Submit
C:\Windows\apocalyps32.exe

Filesize
857KB

MD5
fea02960bc9f941720163c099e7a852b

SHA1
0bc7cbdcc6714afd71288a501aebf40401a82436

SHA256
e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345

SHA512
f11bb68005dcb89c22e8824ec97692a0f6fb450c4aa410f93ff2478011de9065e179689c35ac40c4174bd008b82e4dbbf652e05c4c76d7a2f4f6707bcac078ec

Download Submit
C:\Windows\apocalyps32.exe

Filesize
857KB

MD5
fea02960bc9f941720163c099e7a852b

SHA1
0bc7cbdcc6714afd71288a501aebf40401a82436

SHA256
e93de9126bb87f8cd3168b4dca960c2ced2f008eff86a84e8f8b62dc7fa1f345

SHA512
f11bb68005dcb89c22e8824ec97692a0f6fb450c4aa410f93ff2478011de9065e179689c35ac40c4174bd008b82e4dbbf652e05c4c76d7a2f4f6707bcac078ec

Download Submit
memory/3228-132-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3228-141-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4380-140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4380-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4380-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4380-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4380-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-161-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/4592-164-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4592-165-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5088-152-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5088-159-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download