d800e488f259a78fc423f62f66b5ae89f632b6e97ffcb826853a93bf1bfd5130

General

Target

bc02d90763f0b879a7c15d6c3e0d032e.exe
Size

3.9MB
MD5

bc02d90763f0b879a7c15d6c3e0d032e
SHA1

d0a796ea5614da416eb88780f6783b308da7a875
SHA256

d800e488f259a78fc423f62f66b5ae89f632b6e97ffcb826853a93bf1bfd5130
SHA512

e4dc547a8a84343c8466e7ff8e66f6eaf289acde8c6bee9bf4b600d2d56177451458a1c0374e4bed3e1da9564a7773a6a082f3c180aea5562067015f21cfad3e
SSDEEP

98304:K4XTT2lNL/Ecakcibiqhd+UhQdiqcakcibiqhtnr+ckuwkteNKUWcakcibiqhd+4:DXTT2PEdlirzJoiqdlirvTwTUNdlirz9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1744	bc02d90763f0b879a7c15d6c3e0d032e.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	bc02d90763f0b879a7c15d6c3e0d032e.exe

Loads dropped DLL 1 IoCs

pid	Process
2988	bc02d90763f0b879a7c15d6c3e0d032e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012234-15.dat	upx
behavioral1/files/0x000b000000012234-11.dat	upx
behavioral1/memory/2988-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2788	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2988	bc02d90763f0b879a7c15d6c3e0d032e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2988	bc02d90763f0b879a7c15d6c3e0d032e.exe
1744	bc02d90763f0b879a7c15d6c3e0d032e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1744	2988	bc02d90763f0b879a7c15d6c3e0d032e.exe	22
PID 2988 wrote to memory of 1744	2988	bc02d90763f0b879a7c15d6c3e0d032e.exe	22
PID 2988 wrote to memory of 1744	2988	bc02d90763f0b879a7c15d6c3e0d032e.exe	22
PID 2988 wrote to memory of 1744	2988	bc02d90763f0b879a7c15d6c3e0d032e.exe	22
PID 1744 wrote to memory of 2788	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	18
PID 1744 wrote to memory of 2788	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	18
PID 1744 wrote to memory of 2788	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	18
PID 1744 wrote to memory of 2788	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	18
PID 1744 wrote to memory of 3008	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	21
PID 1744 wrote to memory of 3008	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	21
PID 1744 wrote to memory of 3008	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	21
PID 1744 wrote to memory of 3008	1744	bc02d90763f0b879a7c15d6c3e0d032e.exe	21
PID 3008 wrote to memory of 2904	3008	cmd.exe	19
PID 3008 wrote to memory of 2904	3008	cmd.exe	19
PID 3008 wrote to memory of 2904	3008	cmd.exe	19
PID 3008 wrote to memory of 2904	3008	cmd.exe	19

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe" /TN QxutJGth3fd4 /F
1⤵
- Creates scheduled task(s)
PID:2788

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\u5iBghCz.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe
C:\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe
"C:\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe

Filesize
124KB

MD5
73fc164126a8a6c2b9f2f9e93690e4e6

SHA1
e4466ad769bcfa9161cecf32efce038756a09c01

SHA256
b44733d896ae036d5295b71ee03499557eaf2f701fec776f50bd86180fe29984

SHA512
fb679eb8bcc080aee56b2a24ec0cc96d03f1bdc964d68d77547b719289c14e6af72ac1b084a50f08947c2232ab024e24c50721015ff13b0f0f79608f5ffacc8d

Download Submit
\Users\Admin\AppData\Local\Temp\bc02d90763f0b879a7c15d6c3e0d032e.exe

Filesize
78KB

MD5
8760f22f8eb94ce166830913b8e9924a

SHA1
93a901dc8fe090c92c43458af8fa44945a9d5e31

SHA256
6e8ffcd15c6e66262e21e42586e3cae271bb33617718c0d9fad99a9518044808

SHA512
b633b395f7fbe55666ec6e80a410e297de6da63bcaf8b9165006c14c593c1d33db2f516f847e847c20bfd839c7a1d9797ffe36723949300bcdf1c55e31bebe18

Download Submit
memory/1744-18-0x0000000022DF0000-0x0000000022E6E000-memory.dmp

Filesize
504KB

Download
memory/1744-30-0x0000000000280000-0x00000000002EB000-memory.dmp

Filesize
428KB

Download
memory/1744-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1744-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1744-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2988-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2988-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2988-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2988-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads