f0062067c120a8f25766476d9155dbfb0a76845a395b24b810bca895b110f735

Reason

Machine shutdown

General

Target

0dfde1a4c8f38abc290a7e4ad757edea.exe
Size

1.6MB
MD5

0dfde1a4c8f38abc290a7e4ad757edea
SHA1

a267435dd6ed2994325bf13f88710e48088b0a31
SHA256

f0062067c120a8f25766476d9155dbfb0a76845a395b24b810bca895b110f735
SHA512

47c479981b786201eaceed43fbb382135c038067eb1495d431ea3ea712f99e2e32dc23cbbfa34b8a47d09b500fc6b817f7d6b4ba01918d2b745a83e353382d07
SSDEEP

49152:YzP7qZDJfRuuDO3AWHGqB8NNOyeDrmQ0w13:YsuIwmvNNE/50w13

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-26-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-34-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-43-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-59-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-58-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-56-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-54-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-49-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-45-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-36-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-18-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-16-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-13-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-12-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-8-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/636-60-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 14 IoCs

evasion

pid	Process
2200	taskkill.exe
2904	taskkill.exe
2624	taskkill.exe
5100	taskkill.exe
1136	taskkill.exe
4576	taskkill.exe
4852	taskkill.exe
3860	taskkill.exe
1588	taskkill.exe
4700	taskkill.exe
1528	taskkill.exe
1072	taskkill.exe
3908	taskkill.exe
4200	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0dfde1a4c8f38abc290a7e4ad757edea.exe
"C:\Users\Admin\AppData\Local\Temp\0dfde1a4c8f38abc290a7e4ad757edea.exe"
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
  C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe
  2⤵
  PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360tray.exe
    3⤵
    - Kills process with taskkill
    PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im VsTskMgr.exe
    3⤵
    - Kills process with taskkill
    PID:1588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Mcshield.exe
    3⤵
    - Kills process with taskkill
    PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ravmon.exe
    3⤵
    - Kills process with taskkill
    PID:4200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rav.exe
    3⤵
    - Kills process with taskkill
    PID:2904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im KVXP.kxp
    3⤵
    - Kills process with taskkill
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavsvc.exe
    3⤵
    - Kills process with taskkill
    PID:4576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360tray.exe
    3⤵
    - Kills process with taskkill
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im VsTskMgr.exe
    3⤵
    - Kills process with taskkill
    PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Mcshield.exe
    3⤵
    - Kills process with taskkill
    PID:4852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ravmon.exe
    3⤵
    - Kills process with taskkill
    PID:1072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Rav.exe
    3⤵
    - Kills process with taskkill
    PID:2624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im KVXP.kxp
    3⤵
    - Kills process with taskkill
    PID:5100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im kavsvc.exe
    3⤵
    - Kills process with taskkill
    PID:3860

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv n/w2P/mOok+kh9SjKXsYbg.0
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 636 -ip 636
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe

Filesize
34KB

MD5
1221011a4fc1cf2db55943b1a8eb34ec

SHA1
bb681e61a4dbc2bdbec091094f6f6e028e0acf0b

SHA256
021bf4102355b0475589cbf60160c943683909efd934d16d13c9a838a7e30e6b

SHA512
fc45e15653897789ea412b4c33b580d5513af711d537883c961d87348ca7a8f93832f2f505091958156a2246d7dd74eb7ccaeab95674eaffd551110e60440ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\°×½ð°æ.exe

Filesize
23KB

MD5
ad126dd627f4278fe76ce827d38b57b3

SHA1
96a5bdf1f4ad6a75d8fbf5cb9f8a0e808f98a63b

SHA256
0fb16bf12d4fbca9a159307cb558c164147378e0f6bc7c162cbe666776e09c1f

SHA512
d0b7c16a4dc7e485dc979d33c5d5fa7fdfdb3440875970f103b1ca867cab1a494632547c8a87178a2273c0dba05ef784484df2c23265d58dc8ab795ef7900260

Download Submit
memory/636-45-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-26-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-34-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-43-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-59-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-58-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-56-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-54-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-53-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/636-49-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-7-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/636-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-36-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-18-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-16-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-13-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-12-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-8-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-6-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download
memory/636-60-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/636-61-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

Errors