3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169

General

Target

3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
Size

14.3MB
MD5

fc4ac6512fd2f0f2ca0d1fb68d4a5aea
SHA1

cf454a97a0ef08c1b57b017ebfaf8800bdfbb6cf
SHA256

3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169
SHA512

2364026b189bd0ba0141d6cf4dfa626b22a29dbae102075912d23f07976ceb047713f830aac26f1d67d6e9abc5a9acdbb054919fb9016e5585c0f2419275e45e
SSDEEP

393216:EChlxODKnD+t/CLDOcIEVPK68eYuyQJ0XHVj:EiiALDfl3M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4356	¸üÐÂ³ÌÐò.exe

Loads dropped DLL 2 IoCs

pid	Process
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/488-12-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/488-13-0x00000000045B0000-0x00000000045C6000-memory.dmp	upx
behavioral2/memory/488-31-0x00000000045B0000-0x00000000045C6000-memory.dmp	upx
behavioral2/memory/488-34-0x0000000010000000-0x0000000010019000-memory.dmp	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/488-0-0x0000000000400000-0x000000000256F000-memory.dmp	vmprotect
behavioral2/memory/488-3-0x0000000000400000-0x000000000256F000-memory.dmp	vmprotect
behavioral2/memory/488-17-0x0000000000400000-0x000000000256F000-memory.dmp	vmprotect
behavioral2/memory/488-24-0x0000000000400000-0x000000000256F000-memory.dmp	vmprotect
behavioral2/memory/488-29-0x0000000000400000-0x000000000256F000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
4356	¸üÐÂ³ÌÐò.exe
4356	¸üÐÂ³ÌÐò.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 4356	488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe	86
PID 488 wrote to memory of 4356	488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe	86
PID 488 wrote to memory of 4356	488	3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe	86

C:\Users\Admin\AppData\Local\Temp\3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe
"C:\Users\Admin\AppData\Local\Temp\3e0059339e4d46c53a07ac12469209fc6af0a78c895a11c2e7052161b844c169.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe
  C:\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
98KB

MD5
1dd2a4a0f4d21eb65db5895fca2ca489

SHA1
b0c0617f6f66b35e255ec9824cde41f382a60e80

SHA256
7a7f037bab8024a9d17fb225cc4aa04133081135ecc4be5bbb889c0fbebd7e0c

SHA512
214e7aa56e820ebec87a778293871672f7c4e92d06bdf5ba18a2fc536003b2e15ebdce65c1ae3c927a16fcfe865c1720a7262e7a700459c66b4ae563374518ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
98KB

MD5
1dd2a4a0f4d21eb65db5895fca2ca489

SHA1
b0c0617f6f66b35e255ec9824cde41f382a60e80

SHA256
7a7f037bab8024a9d17fb225cc4aa04133081135ecc4be5bbb889c0fbebd7e0c

SHA512
214e7aa56e820ebec87a778293871672f7c4e92d06bdf5ba18a2fc536003b2e15ebdce65c1ae3c927a16fcfe865c1720a7262e7a700459c66b4ae563374518ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
98KB

MD5
1dd2a4a0f4d21eb65db5895fca2ca489

SHA1
b0c0617f6f66b35e255ec9824cde41f382a60e80

SHA256
7a7f037bab8024a9d17fb225cc4aa04133081135ecc4be5bbb889c0fbebd7e0c

SHA512
214e7aa56e820ebec87a778293871672f7c4e92d06bdf5ba18a2fc536003b2e15ebdce65c1ae3c927a16fcfe865c1720a7262e7a700459c66b4ae563374518ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe

Filesize
788KB

MD5
80bccd3e6260683346673137eaed388e

SHA1
31e4943cfa22d79892a8a3d34c9d950fca35901c

SHA256
9e6acd6ea667943f6034e270247c57a29a430415468a9dac8ca0be1db2535e0a

SHA512
b1952260b094de10f2edf2dfdd23b4598214a8a8602384b3666b571e7be8677a29b1df88738b9ed2f41598a45e7519d44796d1ae55eb7bbd5f0cb208222fde94

Download Submit
C:\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe

Filesize
788KB

MD5
80bccd3e6260683346673137eaed388e

SHA1
31e4943cfa22d79892a8a3d34c9d950fca35901c

SHA256
9e6acd6ea667943f6034e270247c57a29a430415468a9dac8ca0be1db2535e0a

SHA512
b1952260b094de10f2edf2dfdd23b4598214a8a8602384b3666b571e7be8677a29b1df88738b9ed2f41598a45e7519d44796d1ae55eb7bbd5f0cb208222fde94

Download Submit
memory/488-7-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/488-24-0x0000000000400000-0x000000000256F000-memory.dmp

Filesize
33.4MB

Download
memory/488-6-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/488-8-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/488-12-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/488-13-0x00000000045B0000-0x00000000045C6000-memory.dmp

Filesize
88KB

Download
memory/488-14-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/488-17-0x0000000000400000-0x000000000256F000-memory.dmp

Filesize
33.4MB

Download
memory/488-5-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/488-4-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/488-3-0x0000000000400000-0x000000000256F000-memory.dmp

Filesize
33.4MB

Download
memory/488-0-0x0000000000400000-0x000000000256F000-memory.dmp

Filesize
33.4MB

Download
memory/488-2-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/488-1-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/488-29-0x0000000000400000-0x000000000256F000-memory.dmp

Filesize
33.4MB

Download
memory/488-31-0x00000000045B0000-0x00000000045C6000-memory.dmp

Filesize
88KB

Download
memory/488-32-0x0000000004990000-0x00000000049E6000-memory.dmp

Filesize
344KB

Download
memory/488-33-0x0000000004570000-0x00000000045A3000-memory.dmp

Filesize
204KB

Download
memory/488-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/488-35-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/488-36-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing