ae9802f5188e465c7456ecf925c2116a35921cde096cfd7457e732d8c5507699

General

Target

0c7d8cd046f19eb731544cd0fa3304de.exe
Size

100KB
MD5

0c7d8cd046f19eb731544cd0fa3304de
SHA1

da28a7ce81aa7ac42865225691c0b9ac412fb05e
SHA256

ae9802f5188e465c7456ecf925c2116a35921cde096cfd7457e732d8c5507699
SHA512

6b1e577e092e43aec4c0fbfb90f8226746d56838f37cefb286ccd11b2ff42535e4737b59401f973470eb8c47d060279efb3b60a7d240e116d30c62b5f46e075d
SSDEEP

3072:7M+o7RdH5I96p+X9J1hvAaHafSEyNDWQDU6ra0BnwuJ6EQ1sNG8bJZ:M7RZ5S6p+X9J1RAaHafSEyNDPDU6G0Br

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2720	System.exe
2700	System.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-9-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-38-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-13-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-12-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-11-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-6-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2660-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-42-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-47-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-48-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-49-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-50-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-51-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-52-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-53-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-54-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-55-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-56-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2700-57-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Messanger = "C:\\Windows\\System.exe"	0c7d8cd046f19eb731544cd0fa3304de.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2720 set thread context of 2700	2720	System.exe	30

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System.exe	0c7d8cd046f19eb731544cd0fa3304de.exe
File opened for modification	C:\Windows\System.exe	System.exe
File created	C:\Windows\System.exe	System.exe
File created	C:\Windows\System.exe	0c7d8cd046f19eb731544cd0fa3304de.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2492	0c7d8cd046f19eb731544cd0fa3304de.exe
2720	System.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2492 wrote to memory of 2660	2492	0c7d8cd046f19eb731544cd0fa3304de.exe	28
PID 2660 wrote to memory of 2720	2660	0c7d8cd046f19eb731544cd0fa3304de.exe	29
PID 2660 wrote to memory of 2720	2660	0c7d8cd046f19eb731544cd0fa3304de.exe	29
PID 2660 wrote to memory of 2720	2660	0c7d8cd046f19eb731544cd0fa3304de.exe	29
PID 2660 wrote to memory of 2720	2660	0c7d8cd046f19eb731544cd0fa3304de.exe	29
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30
PID 2720 wrote to memory of 2700	2720	System.exe	30

C:\Users\Admin\AppData\Local\Temp\0c7d8cd046f19eb731544cd0fa3304de.exe
"C:\Users\Admin\AppData\Local\Temp\0c7d8cd046f19eb731544cd0fa3304de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\0c7d8cd046f19eb731544cd0fa3304de.exe
  "C:\Users\Admin\AppData\Local\Temp\0c7d8cd046f19eb731544cd0fa3304de.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\System.exe
    "C:\Windows\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\System.exe
      "C:\Windows\System.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2660-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-23-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/2660-38-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2660-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-42-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-50-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-49-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-51-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-52-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2700-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2720-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads