ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264

General

Target

ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
Size

6.0MB
MD5

f4ab1b42d214bf08b07e1678eaa91aaf
SHA1

dc74a1ed442abf0f2e7cc7f1b0d1ea88ed8350a0
SHA256

ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264
SHA512

15fc6384631cf97b3a2d8c9e314867206b6e0e6859a49df661da663782e1ae78c812ea707ddf26930faa5f452f01f70ddebfb51b749542b7c8879ff373685ad9
SSDEEP

98304:SCt1JY9zA6L+d9ggTr5oCQn+ae4lPI7TCXAFRab/6/k4z/xZXIVdbs2I:Sw1J0zApqar5o+NzCXcRaT6/k4zxZYV+

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1944-0-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-3-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-1-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-7-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-9-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-12-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-13-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-11-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-5-0x00000000019A0000-0x00000000019C6000-memory.dmp	upx
behavioral1/memory/1944-19-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-23-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-24-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-27-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-28-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-29-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-30-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-31-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-32-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-33-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-34-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-35-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-36-0x0000000000400000-0x000000000193F000-memory.dmp	upx
behavioral1/memory/1944-37-0x0000000000400000-0x000000000193F000-memory.dmp	upx

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2524	systeminfo.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2848	1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe	29
PID 1944 wrote to memory of 2848	1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe	29
PID 1944 wrote to memory of 2848	1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe	29
PID 1944 wrote to memory of 2848	1944	ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe	29
PID 2848 wrote to memory of 2524	2848	cmd.exe	31
PID 2848 wrote to memory of 2524	2848	cmd.exe	31
PID 2848 wrote to memory of 2524	2848	cmd.exe	31
PID 2848 wrote to memory of 2524	2848	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
"C:\Users\Admin\AppData\Local\Temp\ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c systeminfo > "C:\Users\Admin\AppData\Local\Temp\\systeminfo.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\systeminfo.txt

Filesize
1KB

MD5
6478b7787292a220f1955a9c3d529cba

SHA1
8b5c5c6c01f92bc6b506da160f431039e9fa3c4d

SHA256
1155a764c0decae631eca8e6351f7cf9768830cb948477485fc5d54a45ef47fc

SHA512
abebf7b326c9270988e3a8781cb242b5d4d42376795e580ab72b070f0360b874a61aee7aa7b2f64d9ab69517ead76c161afcf581289017b5f02b8ba377b2d3b7

Download Submit
memory/1944-21-0x0000000001940000-0x0000000001999000-memory.dmp

Filesize
356KB

Download
memory/1944-37-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-19-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-7-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-9-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-12-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-13-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-14-0x0000000001940000-0x0000000001999000-memory.dmp

Filesize
356KB

Download
memory/1944-16-0x00000000FFFA0000-0x00000000FFFA1000-memory.dmp

Filesize
4KB

Download
memory/1944-15-0x0000000001940000-0x0000000001999000-memory.dmp

Filesize
356KB

Download
memory/1944-11-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-5-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-18-0x000000007797D000-0x0000000077A06000-memory.dmp

Filesize
548KB

Download
memory/1944-17-0x0000000001940000-0x0000000001999000-memory.dmp

Filesize
356KB

Download
memory/1944-1-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-22-0x000000007797D000-0x000000007797E000-memory.dmp

Filesize
4KB

Download
memory/1944-3-0x00000000019A0000-0x00000000019C6000-memory.dmp

Filesize
152KB

Download
memory/1944-23-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-24-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-2-0x0000000001940000-0x0000000001999000-memory.dmp

Filesize
356KB

Download
memory/1944-27-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-28-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-29-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-30-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-31-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-32-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-33-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-34-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-35-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-36-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download
memory/1944-0-0x0000000000400000-0x000000000193F000-memory.dmp

Filesize
21.2MB

Download

Analysis

Sharing