692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74

General

Target

692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
Size

12.1MB
MD5

a45998de2eeee9bc97d0ac7065981909
SHA1

5d2dbbf9c9cddd30e7b84219b476ca32d01c7dbf
SHA256

692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74
SHA512

cc2097db5622736ea61c482170ed974d27a8333c9392a05dc764ecba404f86e61979af1d105bb3f12aafb397df123ce38e2e252e4d6ead864de30233abdc85b9
SSDEEP

196608:FBuCvh7pQoXhQET1AIxbx64b3s6lqOlAX:Luy7p7XhN5/x6o3s6lMX

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
2528	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-4-0x0000000002F70000-0x000000000302E000-memory.dmp	upx
behavioral1/memory/3068-7-0x0000000002F70000-0x000000000302E000-memory.dmp	upx
behavioral1/memory/3068-6-0x0000000002F70000-0x000000000302E000-memory.dmp	upx
behavioral1/memory/3068-8-0x0000000002F70000-0x000000000302E000-memory.dmp	upx
behavioral1/memory/2528-34-0x0000000003340000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2528-37-0x0000000003340000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2528-38-0x0000000003340000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2528-54-0x0000000003340000-0x00000000033FE000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2732	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
2528	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
2528	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2600	3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe	28
PID 3068 wrote to memory of 2600	3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe	28
PID 3068 wrote to memory of 2600	3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe	28
PID 3068 wrote to memory of 2600	3068	692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe	28
PID 2600 wrote to memory of 2732	2600	cmd.exe	30
PID 2600 wrote to memory of 2732	2600	cmd.exe	30
PID 2600 wrote to memory of 2732	2600	cmd.exe	30
PID 2600 wrote to memory of 2732	2600	cmd.exe	30
PID 2600 wrote to memory of 2528	2600	cmd.exe	31
PID 2600 wrote to memory of 2528	2600	cmd.exe	31
PID 2600 wrote to memory of 2528	2600	cmd.exe	31
PID 2600 wrote to memory of 2528	2600	cmd.exe	31
PID 2600 wrote to memory of 2528	2600	cmd.exe	31
PID 2600 wrote to memory of 2528	2600	cmd.exe	31
PID 2600 wrote to memory of 2528	2600	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
"C:\Users\Admin\AppData\Local\Temp\692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\692e3a9e17351fc900b612d2be32cf05c8bbbf897c17aade7fd8dfd77cf27d74.exe
    "C:\Users\Admin\AppData\Local\Temp\692E3A~1.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
d999d92d0f9cf5d356aa67eab2ae9867

SHA1
c6bc5a344178a4df3e4cade4ff8c3196e8ed7607

SHA256
e41b26f70bdb4658a34091d4d9725ee378d8c9579f2f61a7c4640edf573459e6

SHA512
4863aa769458e2584a28d1f318774bac2bc67145c145c24534574c70e9bbc8357680780a0dbea87e88c140e139e253a54d290731bd48d3de938d9a99198582e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
d999d92d0f9cf5d356aa67eab2ae9867

SHA1
c6bc5a344178a4df3e4cade4ff8c3196e8ed7607

SHA256
e41b26f70bdb4658a34091d4d9725ee378d8c9579f2f61a7c4640edf573459e6

SHA512
4863aa769458e2584a28d1f318774bac2bc67145c145c24534574c70e9bbc8357680780a0dbea87e88c140e139e253a54d290731bd48d3de938d9a99198582e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\WINDOWS\FONTS\FONT_TEMP.TTF

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
\Users\Admin\AppData\Local\Temp\f764d65.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
\Users\Admin\AppData\Local\Temp\f76adeb.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
memory/2528-38-0x0000000003340000-0x00000000033FE000-memory.dmp

Filesize
760KB

Download
memory/2528-34-0x0000000003340000-0x00000000033FE000-memory.dmp

Filesize
760KB

Download
memory/2528-37-0x0000000003340000-0x00000000033FE000-memory.dmp

Filesize
760KB

Download
memory/2528-53-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download
memory/2528-54-0x0000000003340000-0x00000000033FE000-memory.dmp

Filesize
760KB

Download
memory/3068-8-0x0000000002F70000-0x000000000302E000-memory.dmp

Filesize
760KB

Download
memory/3068-6-0x0000000002F70000-0x000000000302E000-memory.dmp

Filesize
760KB

Download
memory/3068-0-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/3068-7-0x0000000002F70000-0x000000000302E000-memory.dmp

Filesize
760KB

Download
memory/3068-4-0x0000000002F70000-0x000000000302E000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing