73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea

General

Target

73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe
Size

1.9MB
MD5

155ee7ec57a139a0b761f17ea03e9963
SHA1

d06e28649230663f10cf802707d0652b2ab31aee
SHA256

73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea
SHA512

2e2fdacf3926c32ff05c6b0138a915e8206f88b20a6347062e8fde3ec17c117a7fbd24af126d5fe2d34feb636f9732101ecdf1f8b2f4d3e28c241b1a2d7d66ba
SSDEEP

49152:3zw+vjUmjI1U9K1q3uoX8LVFSe3E4zANDCp1:3zw+vwYYn0YRYwANDCp1

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

v.exe

pid process

1100 v.exe
Loads dropped DLL 2 IoCs

Processes:

73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exev.exe

pid process

2036 73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe
1100 v.exe

pid	process
1100	v.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2036-66-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/memory/2036-68-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/memory/2036-71-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/memory/2036-73-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/memory/2036-79-0x0000000000400000-0x0000000000847000-memory.dmp	upx
behavioral1/memory/2036-95-0x0000000000400000-0x0000000000847000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe

pid process

2036 73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

v.exe

description pid process

Token: SeRestorePrivilege 1100 v.exe
Token: 35 1100 v.exe
Token: SeSecurityPrivilege 1100 v.exe
Token: SeSecurityPrivilege 1100 v.exe

description	pid	process
Token: SeRestorePrivilege	1100	v.exe
Token: 35	1100	v.exe
Token: SeSecurityPrivilege	1100	v.exe
Token: SeSecurityPrivilege	1100	v.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe

pid	process
2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe
2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1988	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	cmd.exe
PID 2036 wrote to memory of 1988	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	cmd.exe
PID 2036 wrote to memory of 1988	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	cmd.exe
PID 2036 wrote to memory of 1988	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	cmd.exe
PID 2036 wrote to memory of 528	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	WScript.exe
PID 2036 wrote to memory of 528	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	WScript.exe
PID 2036 wrote to memory of 528	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	WScript.exe
PID 2036 wrote to memory of 528	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	WScript.exe
PID 1988 wrote to memory of 1912	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1912	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1912	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1912	1988	cmd.exe	reg.exe
PID 528 wrote to memory of 1268	528	WScript.exe	cmd.exe
PID 528 wrote to memory of 1268	528	WScript.exe	cmd.exe
PID 528 wrote to memory of 1268	528	WScript.exe	cmd.exe
PID 528 wrote to memory of 1268	528	WScript.exe	cmd.exe
PID 1268 wrote to memory of 1644	1268	cmd.exe	reg.exe
PID 1268 wrote to memory of 1644	1268	cmd.exe	reg.exe
PID 1268 wrote to memory of 1644	1268	cmd.exe	reg.exe
PID 1268 wrote to memory of 1644	1268	cmd.exe	reg.exe
PID 2036 wrote to memory of 1100	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	v.exe
PID 2036 wrote to memory of 1100	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	v.exe
PID 2036 wrote to memory of 1100	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	v.exe
PID 2036 wrote to memory of 1100	2036	73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe	v.exe

C:\Users\Admin\AppData\Local\Temp\73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe
"C:\Users\Admin\AppData\Local\Temp\73f26b38368473a7e56582cba90c0426adfffe7f5a187fdddfca35f96e6150ea.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    PID:1912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
      4⤵
      PID:1644
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\111

Filesize
1.3MB

MD5
2e7dba2c56e27f263d3d68d43936d84d

SHA1
0b47c3400026a96e682794df4afba1f550009db2

SHA256
d6b14b3a9ae0ee3a5a623e4af77e8a1a4739174d2807a9e1f8a966dcd61ef4ed

SHA512
51f6ea93421b5fdfebf4be765f661322471e099bc22d04b59c78498e849be2eee57ce2a3073e0a8b417ac1f8f476394966415107dbfdf7f402faf2e4fc50be3a

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\A.vbs

Filesize
107B

MD5
bcb223ea9c0598f04684216bcd0e12a6

SHA1
2661c8fbca3654a29fa261def7f16ea23a6f3165

SHA256
ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

SHA512
77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
memory/2036-66-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2036-79-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2036-73-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2036-71-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2036-68-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2036-95-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads