c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de

General

Target

c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe
Size

1.6MB
MD5

61494a835ce331d776c27fc6584930c7
SHA1

b8c85f0cfb217441608e7019f193579e03047082
SHA256

c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de
SHA512

c605862f9b9264d7333b75091f1f7495459680139f0e44a6db3826ac51091cea83f5a051513c979219029ae694cab073231fea4d3adfed31000dbb7e6a3cd902
SSDEEP

49152:O2Jd3BBHWSCVaUMmKaEahivTVLW2Rx0fC+jeE6N:O2j3BzCVVFKa+7I5fC+S7N

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1200	Engine.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000133e5-55.dat	upx
behavioral1/files/0x00090000000133e5-57.dat	upx
behavioral1/memory/1200-60-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1200-65-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1200-73-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	powershell.exe
1592	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 316 wrote to memory of 1200	316	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	28
PID 1200 wrote to memory of 776	1200	Engine.exe	29
PID 1200 wrote to memory of 776	1200	Engine.exe	29
PID 1200 wrote to memory of 776	1200	Engine.exe	29
PID 1200 wrote to memory of 776	1200	Engine.exe	29
PID 776 wrote to memory of 904	776	cmd.exe	31
PID 776 wrote to memory of 904	776	cmd.exe	31
PID 776 wrote to memory of 904	776	cmd.exe	31
PID 776 wrote to memory of 904	776	cmd.exe	31
PID 904 wrote to memory of 1592	904	cmd.exe	32
PID 904 wrote to memory of 1592	904	cmd.exe	32
PID 904 wrote to memory of 1592	904	cmd.exe	32
PID 904 wrote to memory of 1592	904	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe
"C:\Users\Admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\SETUP_35926\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_35926\Engine.exe /TH_ID=_1076 /OriginExe="C:\Users\Admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < Translated.cda
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_35926\00000#Pools.cda

Filesize
1.5MB

MD5
5dd1213377ce2f40b914c5ea22166b55

SHA1
988e9e72aeecf060b3ed72f61763bd130784bca9

SHA256
d7909fd46fabe766cb531a7cb0e23243c40c8f60918c7dd68612734606ce5ec7

SHA512
35735187cfe55f73920ea62cebdb39fdb0f492b6290cd46cfb236199d7853d64fbc2af0cc263b2fdd8e92e5b55cac60cc3f9a3634ead024b50491fa29f77fca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35926\00001#Thousands.cda

Filesize
872KB

MD5
36f5c4696f54a98e1bf256df033e34cf

SHA1
52bc9d595effbf4e4b10b3381f44e0306a42d0f4

SHA256
656af4bee6b89094a6828394bf7ea26058abf5186ab606b15440ac1b33fdadcd

SHA512
7763dfba62149936fa494e7d95117e7ae1ff6010dfe5ff999baddc090f3c5f731043513bcd1d0529f4d8daaa6d29dfd9c5bbd268ca6736ca146df68ad8321a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35926\00002#Translated.cda

Filesize
11KB

MD5
fadbcd2fb4be032ff6145b94eeed068e

SHA1
5cec98c304099488f9f31f61856700a0b8733a34

SHA256
c288b141d2988401ef472325b601d4ee2b4a16b71e6637a7f252556fabe59412

SHA512
4e14c3f89bcb0efab9ef26defdca7ce3d47c9a608b854cc23d47fb600def1e1e859f155203a4ccd3fb691f821d675c89cc003bca665c93c628c2e6010b500a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35926\Engine.exe

Filesize
392KB

MD5
e57156daad46c61a0395df1fdbadc766

SHA1
11c4359be8649ed873fa1904c89b51ef6a631081

SHA256
dca85f4607b1535bd9daad75f57646b53d2b7e2a381a2306ab62cce0e61b1a35

SHA512
94e5cd2233733f5ecd08fec3cfa82ccd71302697f8c37f8fb04d8dabf75cd2d7a58ce24080b1464a73e0d587a3d611056464ff54ff0bc9cc3d190156cbd8ecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35926\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_35926\Setup.txt

Filesize
2KB

MD5
e143502369ba42ea20e32419536742aa

SHA1
934b2801180d21671ea388d6c608d694617f3f6b

SHA256
b242bd6554cf480c29129c89b693a49cd37452a796211e8a6b747423c93bce8f

SHA512
407eb2cca10016cc15b6f8e37e2ce60aa34b3c314cf84c2389311c39a0c766571db3182e28efc71eb82d168b074072aa9d35bdba9dfea40a5ef3abf7d7838b0e

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_35926\Engine.exe

Filesize
392KB

MD5
e57156daad46c61a0395df1fdbadc766

SHA1
11c4359be8649ed873fa1904c89b51ef6a631081

SHA256
dca85f4607b1535bd9daad75f57646b53d2b7e2a381a2306ab62cce0e61b1a35

SHA512
94e5cd2233733f5ecd08fec3cfa82ccd71302697f8c37f8fb04d8dabf75cd2d7a58ce24080b1464a73e0d587a3d611056464ff54ff0bc9cc3d190156cbd8ecf2

Download Submit
memory/316-59-0x00000000023A0000-0x00000000024F8000-memory.dmp

Filesize
1.3MB

Download
memory/316-64-0x00000000023A0000-0x00000000024F8000-memory.dmp

Filesize
1.3MB

Download
memory/316-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1200-60-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1200-65-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1200-73-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1592-72-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing