e0e554a0510af40ffb04af3f5224b2f3e3d37c1b460df1a3eb7460f3e7965c75

General

Target

06ab8d4de50d9a8cfdd1e939baa3496d.exe
Size

128KB
MD5

06ab8d4de50d9a8cfdd1e939baa3496d
SHA1

ca8715049b9a5b519c69f9de4531af83c94d657a
SHA256

e0e554a0510af40ffb04af3f5224b2f3e3d37c1b460df1a3eb7460f3e7965c75
SHA512

e60ccad466b68675b8165684501524822fc067ce33474edf18af99426ad10d6989803795553482d6b8529332869265485381d89e3be9a4449d7a3127f23d29d5
SSDEEP

3072:JCSY7w5vzZwUpX1GOdQ7nu4hEeCZrSJiT8T9g+lx27GwNiujQ5G940qnDOJa7aIN:829

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2828	msnmsgr.exe
2692	msnmsgr.exe

Loads dropped DLL 1 IoCs

pid	Process
3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2956-6-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2956-9-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2956-8-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2956-10-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2956-11-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2956-25-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-32-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-33-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-34-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-35-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-36-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-37-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-38-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-39-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-40-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-41-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-42-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-43-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-44-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2692-47-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java Update = "msnmsgr.exe"	06ab8d4de50d9a8cfdd1e939baa3496d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 2828 set thread context of 2692	2828	msnmsgr.exe	30

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msnmsgr.exe	06ab8d4de50d9a8cfdd1e939baa3496d.exe
File opened for modification	C:\Windows\msnmsgr.exe	06ab8d4de50d9a8cfdd1e939baa3496d.exe
File created	C:\Windows\winsyx.dll	msnmsgr.exe
File opened for modification	C:\Windows\winsyx.dll	msnmsgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe
2828	msnmsgr.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 3032 wrote to memory of 2956	3032	06ab8d4de50d9a8cfdd1e939baa3496d.exe	28
PID 2956 wrote to memory of 2828	2956	06ab8d4de50d9a8cfdd1e939baa3496d.exe	29
PID 2956 wrote to memory of 2828	2956	06ab8d4de50d9a8cfdd1e939baa3496d.exe	29
PID 2956 wrote to memory of 2828	2956	06ab8d4de50d9a8cfdd1e939baa3496d.exe	29
PID 2956 wrote to memory of 2828	2956	06ab8d4de50d9a8cfdd1e939baa3496d.exe	29
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30
PID 2828 wrote to memory of 2692	2828	msnmsgr.exe	30

C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe
"C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe
  "C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\msnmsgr.exe
    "C:\Windows\msnmsgr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\msnmsgr.exe
      "C:\Windows\msnmsgr.exe"
      4⤵
      Executes dropped EXE
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msnmsgr.exe

Filesize
128KB

MD5
06ab8d4de50d9a8cfdd1e939baa3496d

SHA1
ca8715049b9a5b519c69f9de4531af83c94d657a

SHA256
e0e554a0510af40ffb04af3f5224b2f3e3d37c1b460df1a3eb7460f3e7965c75

SHA512
e60ccad466b68675b8165684501524822fc067ce33474edf18af99426ad10d6989803795553482d6b8529332869265485381d89e3be9a4449d7a3127f23d29d5

Download Submit
\Users\Admin\AppData\Local\Temp\winsyx.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2692-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-42-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-44-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-32-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-38-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-34-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2692-41-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2956-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2956-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2956-25-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2956-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2956-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2956-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads