c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4

General

Target

c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
Size

406KB
MD5

9c3d25a355e7a7278d865e89f1a46468
SHA1

c55c2490a40b4084352a6f9bc465c4d838d281b7
SHA256

c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4
SHA512

17ad171fd300b4d0a4e853942ac0fe9925cab1978254f19ccc5e397d3c795d1f02762c1893b4665f8f455882d27cb2cf52a7027da645e7b4d640948e7866be44
SSDEEP

12288:PRksbZaslyiNuCrHqfk3fVyLmg/Tf2LHrT:PR7bCcuUqfkvELT0T

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2172-140-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/2172-142-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/2172-143-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/2172-146-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/2172-151-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3396 set thread context of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 2172 set thread context of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 3396 wrote to memory of 2172	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	95
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 2172 wrote to memory of 3656	2172	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	97
PID 3396 wrote to memory of 0	3396	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe

C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
"C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
  "C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
    "C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe"
    3⤵
    PID:3656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-146-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2172-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2172-143-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2172-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2172-151-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3396-136-0x0000000002C70000-0x0000000002C76000-memory.dmp

Filesize
24KB

Download
memory/3396-137-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3396-138-0x0000000002AD0000-0x0000000002B05000-memory.dmp

Filesize
212KB

Download
memory/3396-133-0x0000000002AD0000-0x0000000002B05000-memory.dmp

Filesize
212KB

Download
memory/3396-132-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/3656-150-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3656-148-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing