eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e

General

Target

eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
Size

145KB
MD5

25e09a69bd25f08f394a713506dbc782
SHA1

7f498642088197cb68ce35b065e49a5f0341b842
SHA256

eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e
SHA512

b870b6b275bf56b8fccfca5fa41c2bb29a9846ed604a97c4d5951cfbfd2736adddf0a9c873b1b6038494bbb4546bedb5128dcc2d1551dc44ae44323357eacaff
SSDEEP

1536:wNjwK+Ff4q/yEtzz4ePjaEF6dUcnRcbSBT+WPsgs9tHUy3bJZMwAtZPlAe:4MZzt3tPjaddUjSBTtsEy3bgwArNAe

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1724-132-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4264-136-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4264-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1724-140-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4264-139-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4264-146-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 4264 set thread context of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 1724 wrote to memory of 4264	1724	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	81
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 4264 wrote to memory of 3480	4264	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	82
PID 3480 wrote to memory of 652	3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	39
PID 3480 wrote to memory of 652	3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	39
PID 3480 wrote to memory of 652	3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	39
PID 3480 wrote to memory of 652	3480	eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
  "C:\Users\Admin\AppData\Local\Temp\eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
    "C:\Users\Admin\AppData\Local\Temp\eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
      C:\Users\Admin\AppData\Local\Temp\eea76572f3b42af7cf7bd361482271b6792b0a041b11b962ad101d16c943767e.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-148-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1724-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1724-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3480-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3480-144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3480-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3480-150-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4264-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4264-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4264-146-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4264-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing