e0e554a0510af40ffb04af3f5224b2f3e3d37c1b460df1a3eb7460f3e7965c75

General

Target

06ab8d4de50d9a8cfdd1e939baa3496d.exe
Size

128KB
MD5

06ab8d4de50d9a8cfdd1e939baa3496d
SHA1

ca8715049b9a5b519c69f9de4531af83c94d657a
SHA256

e0e554a0510af40ffb04af3f5224b2f3e3d37c1b460df1a3eb7460f3e7965c75
SHA512

e60ccad466b68675b8165684501524822fc067ce33474edf18af99426ad10d6989803795553482d6b8529332869265485381d89e3be9a4449d7a3127f23d29d5
SSDEEP

3072:JCSY7w5vzZwUpX1GOdQ7nu4hEeCZrSJiT8T9g+lx27GwNiujQ5G940qnDOJa7aIN:829

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
948	msnmsgr.exe
4880	msnmsgr.exe

Loads dropped DLL 2 IoCs

pid	Process
4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe
948	msnmsgr.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4220-7-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4220-9-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4220-10-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4220-11-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-30-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-29-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4220-31-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-33-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-35-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-34-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-36-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-37-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-38-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-39-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-40-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-41-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-42-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-43-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-44-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4880-47-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java Update = "msnmsgr.exe"	06ab8d4de50d9a8cfdd1e939baa3496d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 948 set thread context of 4880	948	msnmsgr.exe	99

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msnmsgr.exe	06ab8d4de50d9a8cfdd1e939baa3496d.exe
File opened for modification	C:\Windows\msnmsgr.exe	06ab8d4de50d9a8cfdd1e939baa3496d.exe
File created	C:\Windows\winsyx.dll	msnmsgr.exe
File opened for modification	C:\Windows\winsyx.dll	msnmsgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe
948	msnmsgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4536 wrote to memory of 4220	4536	06ab8d4de50d9a8cfdd1e939baa3496d.exe	89
PID 4220 wrote to memory of 948	4220	06ab8d4de50d9a8cfdd1e939baa3496d.exe	98
PID 4220 wrote to memory of 948	4220	06ab8d4de50d9a8cfdd1e939baa3496d.exe	98
PID 4220 wrote to memory of 948	4220	06ab8d4de50d9a8cfdd1e939baa3496d.exe	98
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99
PID 948 wrote to memory of 4880	948	msnmsgr.exe	99

C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe
"C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe
  "C:\Users\Admin\AppData\Local\Temp\06ab8d4de50d9a8cfdd1e939baa3496d.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\msnmsgr.exe
    "C:\Windows\msnmsgr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\msnmsgr.exe
      "C:\Windows\msnmsgr.exe"
      4⤵
      Executes dropped EXE
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winsyx.dll

Filesize
220KB

MD5
70bd02fff70eed18b3d19b87accf2fe5

SHA1
3272959d49093cc47a9e4dd07edc2a9dcc07c43a

SHA256
6cb40e9d10e256246ef29bd4d59b578a47734a119f6073f08420e0440d8aa790

SHA512
f7fbe27ce08bb575a2f5d1be703d22be237d8621ee268d7fe33d9917dcd45bce23fcb6113833ea72c8480584db6b3ff74001524e8a48f8c78fd7a88083d255e7

Download Submit
C:\Windows\msnmsgr.exe

Filesize
128KB

MD5
06ab8d4de50d9a8cfdd1e939baa3496d

SHA1
ca8715049b9a5b519c69f9de4531af83c94d657a

SHA256
e0e554a0510af40ffb04af3f5224b2f3e3d37c1b460df1a3eb7460f3e7965c75

SHA512
e60ccad466b68675b8165684501524822fc067ce33474edf18af99426ad10d6989803795553482d6b8529332869265485381d89e3be9a4449d7a3127f23d29d5

Download Submit
C:\Windows\winsyx.dll

Filesize
220KB

MD5
4b34f95bf17729c6441d8832c84b8ad7

SHA1
27d3d425a1bf8d61fa23f3b40eaf96517cbda487

SHA256
4d7c3a4d1f03f0d62c139fb8cdc8f665a22f6ca5e39f55652eec57e23fd0d646

SHA512
c4e6c0a651a7d4e044a461fbb264d304f6cf7dcb5ac7eead930e7d78f6399151e8f019a45a16a9a1df47d783f8c743e3172fb2296f7fbaefd36ecf4157f99821

Download Submit
C:\Windows\winsyx.dll

Filesize
273KB

MD5
1ce8d141fcefb3e3e41826eceaa90d8d

SHA1
beda5dfa8ce4d988c239d44760ffc6dcfa7a470a

SHA256
4258caa3922b71b1fe456bd39f08add655bfd9450ae5914824ec2891d4b0dd83

SHA512
244489714bc9bb5c31e2a6acd665fe2604da92fe9b3c976fff6fe71a21498d9da6827dc951ca0b58e6c2359545357dd6a2f1ee4d6a3a80fdc3385498e3b23b24

Download Submit
memory/4220-31-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4220-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4220-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4220-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4220-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-30-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-34-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-38-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-29-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-41-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-42-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-44-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4880-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads