8dc8d0638a4d5c29e83ec061eb37c859c16642521b6a9511bae8538cc67cebfa

General

Target

2d046bfcf0b274f4ad65305662416a0c.exe
Size

339KB
MD5

2d046bfcf0b274f4ad65305662416a0c
SHA1

be5b46b592269dc2f3d0893f258a44b69424e184
SHA256

8dc8d0638a4d5c29e83ec061eb37c859c16642521b6a9511bae8538cc67cebfa
SHA512

a57d3165d26cfc4129d63fc47d2fa545dbc131df2f4bee72e7675dff03fbbfc244486215379a1f5a8c976b7056aa511a1ede221aa3a63ecf22a4ba3abf3f0029
SSDEEP

6144:wLYXjIyK/oaDFbc+6cTUq+jpyHhof1arQhMfOV0w9pib6sro2tNx6tau:DXjQ/oaF/jTZ+VuSNym8OV0ENEoz

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	2d046bfcf0b274f4ad65305662416a0c.exe
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	2d046bfcf0b274f4ad65305662416a0c.exe

Deletes itself 1 IoCs

pid	Process
2412	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	TXP1atform.exe
2816	2d046bfcf0b274f4ad65305662416a0c.exe

Loads dropped DLL 4 IoCs

pid	Process
2256	2d046bfcf0b274f4ad65305662416a0c.exe
2256	2d046bfcf0b274f4ad65305662416a0c.exe
2412	cmd.exe
2412	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/files/0x0031000000016b97-10.dat	upx
behavioral1/memory/2696-20-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2696-21-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2256-22-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2256	2d046bfcf0b274f4ad65305662416a0c.exe
2696	TXP1atform.exe
2696	TXP1atform.exe
2696	TXP1atform.exe
2696	TXP1atform.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2412	2256	2d046bfcf0b274f4ad65305662416a0c.exe	28
PID 2256 wrote to memory of 2412	2256	2d046bfcf0b274f4ad65305662416a0c.exe	28
PID 2256 wrote to memory of 2412	2256	2d046bfcf0b274f4ad65305662416a0c.exe	28
PID 2256 wrote to memory of 2412	2256	2d046bfcf0b274f4ad65305662416a0c.exe	28
PID 2256 wrote to memory of 2696	2256	2d046bfcf0b274f4ad65305662416a0c.exe	30
PID 2256 wrote to memory of 2696	2256	2d046bfcf0b274f4ad65305662416a0c.exe	30
PID 2256 wrote to memory of 2696	2256	2d046bfcf0b274f4ad65305662416a0c.exe	30
PID 2256 wrote to memory of 2696	2256	2d046bfcf0b274f4ad65305662416a0c.exe	30
PID 2412 wrote to memory of 2816	2412	cmd.exe	31
PID 2412 wrote to memory of 2816	2412	cmd.exe	31
PID 2412 wrote to memory of 2816	2412	cmd.exe	31
PID 2412 wrote to memory of 2816	2412	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\2d046bfcf0b274f4ad65305662416a0c.exe
"C:\Users\Admin\AppData\Local\Temp\2d046bfcf0b274f4ad65305662416a0c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\44$$.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\2d046bfcf0b274f4ad65305662416a0c.exe
    "C:\Users\Admin\AppData\Local\Temp\2d046bfcf0b274f4ad65305662416a0c.exe"
    3⤵
    - Executes dropped EXE
    PID:2816
- C:\Windows\SysWOW64\drivers\TXP1atform.exe
  C:\Windows\system32\drivers\TXP1atform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d046bfcf0b274f4ad65305662416a0c.exe.exe

Filesize
19KB

MD5
982f46d9e5b21ebbada0256418b957b2

SHA1
559946bba6470c56e13138396e66c479a6e0d61a

SHA256
a27f5b775a4b8e7578146c6c5b5d5eebacadd7ce886f6c9dc4e09939d5c2534d

SHA512
e19dcecedce158e282f4c86fe80beab34efb6c3e4e69e94b9645e0e54a8fdf63d2e0696fd17f82a64717fa789b4159af52d506b052a9ea5507e73df29b5df47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\44$$.bat

Filesize
485B

MD5
ed3a529be9296f30841d8e9abf495098

SHA1
a72bee9939f52fd4030a11f200e98a951d9f33fb

SHA256
aa2a735be2cf24e343b971401fdd25a9adc1ff57d088c0198fff90b3dae577d3

SHA512
05ef9cbc1258976ce3ea984790c64c28ece0c2745bb3f4ad5e94583692d62786e87b41b39df3364f1c15d3f780b9399a7ac32ab4401a275a319ed9d3405fa555

Download Submit
\Users\Admin\AppData\Local\Temp\2d046bfcf0b274f4ad65305662416a0c.exe

Filesize
36KB

MD5
dc09aea4cfae752e5d68007330d9edbb

SHA1
9852ba0d0d17eb012364f1f314c17d827333df7d

SHA256
2a2ee844aaa1e53f63b476ac27cde583914b3783bd76b3c93fed6327747b4feb

SHA512
66f7fa834a978ae75a2a69ed5d97b69433f4c4332edd5c99c9cd4a8505f86d434022b962dd2adabbca7d285f1c0e481ddc681646c5681469de2291ae04bdc302

Download Submit
\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
303KB

MD5
842badcb53a52fe0e41efa1d3d77119d

SHA1
b684bc80567463ab99a8f30d7d08117f0f904f06

SHA256
8288f074f5da4d24abc1d24b4c774e3fa9c89f60231d66a0306f78d122af9fa0

SHA512
f8f2a007155d3dca21ca43eef5c4965838260a529eb42ffc68397770de718b5023bf5794d354b835bed968550220bd7f298f6bc7b8bb3b0e5c1fe014c590944a

Download Submit
memory/2256-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2256-16-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/2256-22-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2696-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2696-21-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing