b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490

General

Target

b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe
Size

90KB
MD5

fb9cd329240fc0ba26322f98b40deeb0
SHA1

fe6a9de94e3e72c263f37c2e91ad15cb6cf7cdb7
SHA256

b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490
SHA512

fc84ebeadb0d1530694964488a6257f898591ddbc9e41a7830c5a8afb4cc91fe7ebf27af6ce8a1e03f0f6fc0c954f10beafc2bd3a94f65fb28102fd670bc3405
SSDEEP

768:PsrHimMrU83xpZ+wwApxvrrMJOJBWROXDr4OtfRPYiY:PsrhZ83DIw3LB4UVNF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1552	regedit.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-55-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
988	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
988	rundll32.exe
988	rundll32.exe
988	rundll32.exe
988	rundll32.exe
988	rundll32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\regedit.exe	rundll32.exe
File opened for modification	C:\Windows\help\lpk.dll	rundll32.exe
File created	C:\Windows\help\regedit.exe	rundll32.exe

Runs regedit.exe 1 IoCs

pid	Process
1552	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
988	rundll32.exe
988	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 1732 wrote to memory of 988	1732	b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe	27
PID 988 wrote to memory of 1552	988	rundll32.exe	28
PID 988 wrote to memory of 1552	988	rundll32.exe	28
PID 988 wrote to memory of 1552	988	rundll32.exe	28
PID 988 wrote to memory of 1552	988	rundll32.exe	28

C:\Users\Admin\AppData\Local\Temp\b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe
"C:\Users\Admin\AppData\Local\Temp\b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\RECYCLER\KB970592.DLL,Init C:\Users\Admin\AppData\Local\Temp\b5362ee5bd675618474a4b9c62370fc6cd6949340d8d8585709c879b8fa2d490.exe|1732
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\help\regedit.exe
    C:\Windows\help\regedit.exe /pandora
    3⤵
    - Executes dropped EXE
    - Runs regedit.exe
    PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\KB970592.DLL

Filesize
64KB

MD5
a31caa28668070b35f85fe43eaf78611

SHA1
63afd8f74655e73c29596efcbf983442be378594

SHA256
091c002b319f5faf6ae02e99c4490a6ff0d58f12118e597b36e76ab01951c00f

SHA512
c8aefbb2fc50289f9c18ecec6152bec9080ee42c75c8b0a7e1fb5426ed69b860d9a94c2905b292877ec5c5ac9b0225926746633fe7b972c0a852e125bb8e477e

Download Submit
C:\Windows\Help\regedit.exe

Filesize
389KB

MD5
8a4883f5e7ac37444f23279239553878

SHA1
682214961228453c389854e81e6786df92bbfa67

SHA256
f318c94a46dbca88eefc3e28be51d27e5f91029dc062f56faaa995f0b5f8e518

SHA512
7f51e5278aaa5babfa8eb48fc414bf985775b39e1a94b84faffd995e82781dec87c54945edc6ae7570810c646f9f50256713d96ee7c4197a82a30e51145baa4a

Download Submit
\RECYCLER\KB970592.DLL

Filesize
64KB

MD5
a31caa28668070b35f85fe43eaf78611

SHA1
63afd8f74655e73c29596efcbf983442be378594

SHA256
091c002b319f5faf6ae02e99c4490a6ff0d58f12118e597b36e76ab01951c00f

SHA512
c8aefbb2fc50289f9c18ecec6152bec9080ee42c75c8b0a7e1fb5426ed69b860d9a94c2905b292877ec5c5ac9b0225926746633fe7b972c0a852e125bb8e477e

Download Submit
\RECYCLER\KB970592.DLL

Filesize
64KB

MD5
a31caa28668070b35f85fe43eaf78611

SHA1
63afd8f74655e73c29596efcbf983442be378594

SHA256
091c002b319f5faf6ae02e99c4490a6ff0d58f12118e597b36e76ab01951c00f

SHA512
c8aefbb2fc50289f9c18ecec6152bec9080ee42c75c8b0a7e1fb5426ed69b860d9a94c2905b292877ec5c5ac9b0225926746633fe7b972c0a852e125bb8e477e

Download Submit
\RECYCLER\KB970592.DLL

Filesize
64KB

MD5
a31caa28668070b35f85fe43eaf78611

SHA1
63afd8f74655e73c29596efcbf983442be378594

SHA256
091c002b319f5faf6ae02e99c4490a6ff0d58f12118e597b36e76ab01951c00f

SHA512
c8aefbb2fc50289f9c18ecec6152bec9080ee42c75c8b0a7e1fb5426ed69b860d9a94c2905b292877ec5c5ac9b0225926746633fe7b972c0a852e125bb8e477e

Download Submit
\RECYCLER\KB970592.DLL

Filesize
64KB

MD5
a31caa28668070b35f85fe43eaf78611

SHA1
63afd8f74655e73c29596efcbf983442be378594

SHA256
091c002b319f5faf6ae02e99c4490a6ff0d58f12118e597b36e76ab01951c00f

SHA512
c8aefbb2fc50289f9c18ecec6152bec9080ee42c75c8b0a7e1fb5426ed69b860d9a94c2905b292877ec5c5ac9b0225926746633fe7b972c0a852e125bb8e477e

Download Submit
\Windows\Help\regedit.exe

Filesize
389KB

MD5
8a4883f5e7ac37444f23279239553878

SHA1
682214961228453c389854e81e6786df92bbfa67

SHA256
f318c94a46dbca88eefc3e28be51d27e5f91029dc062f56faaa995f0b5f8e518

SHA512
7f51e5278aaa5babfa8eb48fc414bf985775b39e1a94b84faffd995e82781dec87c54945edc6ae7570810c646f9f50256713d96ee7c4197a82a30e51145baa4a

Download Submit
memory/988-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1732-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing