66d77f29dc2fe4b41cc21edfafb67ad722c0547ff4800407ed2838a2eefb53f9

General

Target

81b6c1477a398daf4ae8f9bec222600f.exe
Size

3.2MB
MD5

81b6c1477a398daf4ae8f9bec222600f
SHA1

b32cd4823fc699edbf6c316fbeecc116e768c6d8
SHA256

66d77f29dc2fe4b41cc21edfafb67ad722c0547ff4800407ed2838a2eefb53f9
SHA512

0cf8914c397fd6b6f452ffbff092a0d3a79a04987cf89ee8c6bbf2d5fbd6cd9f4633fc720fa8ac4a341bfc18dd74d4e037978563d4ea9db09398844dcc33f2a3
SSDEEP

98304:Sa/DkBVo2qcakcNkJRyACo45BUcakcvIUaCRLdjvkBojQS0cakcNkJRyACo45BU2:dkfo3dlNjACoMUdlwlC/jvROdlNjACos

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	81b6c1477a398daf4ae8f9bec222600f.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	81b6c1477a398daf4ae8f9bec222600f.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	81b6c1477a398daf4ae8f9bec222600f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1244-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001224d-11.dat	upx
behavioral1/memory/2532-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001224d-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2824	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1244	81b6c1477a398daf4ae8f9bec222600f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1244	81b6c1477a398daf4ae8f9bec222600f.exe
2532	81b6c1477a398daf4ae8f9bec222600f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2532	1244	81b6c1477a398daf4ae8f9bec222600f.exe	22
PID 1244 wrote to memory of 2532	1244	81b6c1477a398daf4ae8f9bec222600f.exe	22
PID 1244 wrote to memory of 2532	1244	81b6c1477a398daf4ae8f9bec222600f.exe	22
PID 1244 wrote to memory of 2532	1244	81b6c1477a398daf4ae8f9bec222600f.exe	22
PID 2532 wrote to memory of 2824	2532	81b6c1477a398daf4ae8f9bec222600f.exe	18
PID 2532 wrote to memory of 2824	2532	81b6c1477a398daf4ae8f9bec222600f.exe	18
PID 2532 wrote to memory of 2824	2532	81b6c1477a398daf4ae8f9bec222600f.exe	18
PID 2532 wrote to memory of 2824	2532	81b6c1477a398daf4ae8f9bec222600f.exe	18
PID 2532 wrote to memory of 3004	2532	81b6c1477a398daf4ae8f9bec222600f.exe	21
PID 2532 wrote to memory of 3004	2532	81b6c1477a398daf4ae8f9bec222600f.exe	21
PID 2532 wrote to memory of 3004	2532	81b6c1477a398daf4ae8f9bec222600f.exe	21
PID 2532 wrote to memory of 3004	2532	81b6c1477a398daf4ae8f9bec222600f.exe	21
PID 3004 wrote to memory of 2732	3004	cmd.exe	19
PID 3004 wrote to memory of 2732	3004	cmd.exe	19
PID 3004 wrote to memory of 2732	3004	cmd.exe	19
PID 3004 wrote to memory of 2732	3004	cmd.exe	19

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe" /TN QxutJGth3fd4 /F
1⤵
- Creates scheduled task(s)
PID:2824

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\JfItZ8tQ.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe
C:\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe
"C:\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe

Filesize
29KB

MD5
0d3a2c24a2c0f0db525b3f428f57f36d

SHA1
8efcb4dc9d40d8d77b61815e5a4891a53085d90f

SHA256
9990427f51b3649523f893d581bb9a967da3adfb63fc67ec80743954e41f1e8d

SHA512
23a079e3f7b5ab38f10a7c2acbc7dbe679efde0fc9c3e209ae684da50c2efdd2b2ccb6a69b2ea3a04cbf234b09665b4633ab1e11231581c07412ed48a91251f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JfItZ8tQ.xml

Filesize
1KB

MD5
a317df8df77b5b281243b7a91014d198

SHA1
5ddd10db431362adbdcb30bb8014d4454fb2d6a2

SHA256
c8cc404247a0286e797344087e8fd2c546483cbfe030d4efe53836bd44c8e884

SHA512
6db81a17ef1a22c3ba70e01eea09ae8f3865da157e09cc613b8a10bf6ede02d84ee25c4a101944bd55afb0b5dbb49e09f3a77bd919f106991a51fb47ad4fc565

Download Submit
\Users\Admin\AppData\Local\Temp\81b6c1477a398daf4ae8f9bec222600f.exe

Filesize
5KB

MD5
21aa4606ec200e364eb05299f44f1803

SHA1
ef21bc637c6ce93ecf486aab5b838045ed454485

SHA256
a1a4141201ebb20fa671e79d96ad0dd7bd5b71bd9989f16393367a468dad43e4

SHA512
e7ac559ba436d3942120df6934c05b8030f77a19bc0e52499b38247379c3c31decee1d6e37566816da4157c6d9e23a5de8f697d3335e9bd19bf7b7fb861f7cc0

Download Submit
memory/1244-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1244-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1244-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1244-5-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2532-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2532-20-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/2532-26-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2532-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads