de3440c281f59832e96e0760264ac5fc61cb9b1ea74a7e348bff0262aa285a31

General

Target

4cd4d7e73dd6b0c16694fd4a6bbde839.exe
Size

7.0MB
MD5

4cd4d7e73dd6b0c16694fd4a6bbde839
SHA1

bf6f1f08acf87a9b3d703c8b41ceba6ef5647950
SHA256

de3440c281f59832e96e0760264ac5fc61cb9b1ea74a7e348bff0262aa285a31
SHA512

f142f412a714e90e368739dda5b779e8e9431266196f2b7dda0ea231390b07e542e7d50cbfde2a5aa4977043c9a76d8e9de07165be65bac79f38c8916c78dd7d
SSDEEP

196608:Wlycz5S32UISklLrkS0XB9t7xRRPp1HgHrfQC3ewHz:Wwcz5S32UOl0SQ9t7dp1HgLfp3R

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
288	gpuz_installer.exe
592	gpuz_installer.tmp

Loads dropped DLL 2 IoCs

pid	Process
316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe
288	gpuz_installer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/316-54-0x0000000000CA0000-0x000000000283A000-memory.dmp	upx
behavioral1/memory/316-72-0x0000000000CA0000-0x000000000283A000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
592	gpuz_installer.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 316 wrote to memory of 288	316	4cd4d7e73dd6b0c16694fd4a6bbde839.exe	28
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29
PID 288 wrote to memory of 592	288	gpuz_installer.exe	29

C:\Users\Admin\AppData\Local\Temp\4cd4d7e73dd6b0c16694fd4a6bbde839.exe
"C:\Users\Admin\AppData\Local\Temp\4cd4d7e73dd6b0c16694fd4a6bbde839.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Users\Admin\AppData\Local\Temp\is-TMJGG.tmp\gpuz_installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TMJGG.tmp\gpuz_installer.tmp" /SL5="$8012A,721408,721408,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
1.4MB

MD5
a1fe286199f82dc9a1f64fa2d677240a

SHA1
c64f7ff5f90fa49d877914aa25dd741cdaa7ec2e

SHA256
6d41cb901f463a0c814fff8f7740d7757379eba822c47ec17630c91f5ba8626e

SHA512
c536874fd0e3ceca7728145fab4b8f41a3ce49dfe250dfc2c09593571cdec2a7d3f4c784112e06bc87c3a4fdf065e3c72f296b9fe2a5a95bd79994fe25c01a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
1.4MB

MD5
a1fe286199f82dc9a1f64fa2d677240a

SHA1
c64f7ff5f90fa49d877914aa25dd741cdaa7ec2e

SHA256
6d41cb901f463a0c814fff8f7740d7757379eba822c47ec17630c91f5ba8626e

SHA512
c536874fd0e3ceca7728145fab4b8f41a3ce49dfe250dfc2c09593571cdec2a7d3f4c784112e06bc87c3a4fdf065e3c72f296b9fe2a5a95bd79994fe25c01a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMJGG.tmp\gpuz_installer.tmp

Filesize
2.4MB

MD5
8e2d270339dcd0a68fbb2f02a65d45dd

SHA1
bfcdb1f71692020858f96960e432e94a4e70c4a4

SHA256
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

SHA512
31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

Download Submit
\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
1.4MB

MD5
a1fe286199f82dc9a1f64fa2d677240a

SHA1
c64f7ff5f90fa49d877914aa25dd741cdaa7ec2e

SHA256
6d41cb901f463a0c814fff8f7740d7757379eba822c47ec17630c91f5ba8626e

SHA512
c536874fd0e3ceca7728145fab4b8f41a3ce49dfe250dfc2c09593571cdec2a7d3f4c784112e06bc87c3a4fdf065e3c72f296b9fe2a5a95bd79994fe25c01a8c

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMJGG.tmp\gpuz_installer.tmp

Filesize
2.4MB

MD5
8e2d270339dcd0a68fbb2f02a65d45dd

SHA1
bfcdb1f71692020858f96960e432e94a4e70c4a4

SHA256
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

SHA512
31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

Download Submit
memory/288-62-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/288-74-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/316-54-0x0000000000CA0000-0x000000000283A000-memory.dmp

Filesize
27.6MB

Download
memory/316-55-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/316-72-0x0000000000CA0000-0x000000000283A000-memory.dmp

Filesize
27.6MB

Download
memory/316-73-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/592-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/592-75-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing