de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb

General

Target

de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe
Size

2.9MB
MD5

fae0a9935ee9644f68885748c0d9d307
SHA1

ad30a22fdacad5899332cdd76e6504cc49fce8d8
SHA256

de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb
SHA512

6cda97bbab4e7c2b82bd891e80271c6ae8a85875b37cd260ba52e144564736d3d9d147ff86818287a8575cdda8a5a4555c572cf019eb01f7d081aa508d0cafdf
SSDEEP

49152:JWBl44CRR1vghRtx0j5x2Y3mI2gQSo97p2Vd1xdDT/PlVgWBy3AHHFPYJ4ACdCnn:JWuRXYhRtGj5x2OmgC7QHxZPgWB/HHFY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1508	svctmfst.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-13-0x0000000000280000-0x000000000028B000-memory.dmp	upx
behavioral1/memory/1980-14-0x0000000000280000-0x000000000028B000-memory.dmp	upx
behavioral1/memory/1980-12-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/1508-34-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/1508-33-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/1508-36-0x0000000000240000-0x000000000024B000-memory.dmp	upx
behavioral1/memory/1508-46-0x0000000000240000-0x000000000024B000-memory.dmp	upx

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1980-0-0x0000000000400000-0x00000000009FB000-memory.dmp	vmprotect
behavioral1/memory/1980-9-0x0000000000400000-0x00000000009FB000-memory.dmp	vmprotect
behavioral1/memory/1980-21-0x0000000002B40000-0x000000000313B000-memory.dmp	vmprotect
behavioral1/memory/1980-20-0x0000000000400000-0x00000000009FB000-memory.dmp	vmprotect
behavioral1/files/0x0001000000000026-19.dat	vmprotect
behavioral1/files/0x0001000000000026-18.dat	vmprotect
behavioral1/memory/1508-22-0x0000000000400000-0x00000000009FB000-memory.dmp	vmprotect
behavioral1/memory/1508-31-0x0000000000400000-0x00000000009FB000-memory.dmp	vmprotect
behavioral1/memory/1980-42-0x0000000002B40000-0x000000000313B000-memory.dmp	vmprotect
behavioral1/memory/1508-45-0x0000000000400000-0x00000000009FB000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1980	de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe
1508	svctmfst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe
1508	svctmfst.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1508	1980	de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe	28
PID 1980 wrote to memory of 1508	1980	de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe	28
PID 1980 wrote to memory of 1508	1980	de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe	28
PID 1980 wrote to memory of 1508	1980	de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe	28

C:\Users\Admin\AppData\Local\Temp\de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe
"C:\Users\Admin\AppData\Local\Temp\de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- F:\svctmfst.exe
  F:\svctmfst.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

F:\svctmfst.exe

Filesize
2.9MB

MD5
fae0a9935ee9644f68885748c0d9d307

SHA1
ad30a22fdacad5899332cdd76e6504cc49fce8d8

SHA256
de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb

SHA512
6cda97bbab4e7c2b82bd891e80271c6ae8a85875b37cd260ba52e144564736d3d9d147ff86818287a8575cdda8a5a4555c572cf019eb01f7d081aa508d0cafdf

Download Submit
F:\svctmfst.exe

Filesize
2.9MB

MD5
fae0a9935ee9644f68885748c0d9d307

SHA1
ad30a22fdacad5899332cdd76e6504cc49fce8d8

SHA256
de53a5619723d6c32635856ba2ab623cc220e0eb2893d07a1671315121d8eacb

SHA512
6cda97bbab4e7c2b82bd891e80271c6ae8a85875b37cd260ba52e144564736d3d9d147ff86818287a8575cdda8a5a4555c572cf019eb01f7d081aa508d0cafdf

Download Submit
memory/1508-33-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1508-22-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/1508-45-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/1508-46-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/1508-38-0x0000000077800000-0x0000000077801000-memory.dmp

Filesize
4KB

Download
memory/1508-37-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/1508-36-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/1508-34-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1508-31-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/1980-3-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/1980-7-0x0000000077800000-0x0000000077801000-memory.dmp

Filesize
4KB

Download
memory/1980-1-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/1980-20-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/1980-0-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/1980-21-0x0000000002B40000-0x000000000313B000-memory.dmp

Filesize
6.0MB

Download
memory/1980-12-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1980-14-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/1980-42-0x0000000002B40000-0x000000000313B000-memory.dmp

Filesize
6.0MB

Download
memory/1980-13-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/1980-9-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing