80fcd8165d55bed64711da5639d103d857cbca33d6278dc6a32eda4bf366ba6b

General

Target

3b1b7509203fc16f43d4791fb302a20c.exe
Size

1.2MB
MD5

3b1b7509203fc16f43d4791fb302a20c
SHA1

b3994a62be86bf405b623a8fa85f99e39d263f33
SHA256

80fcd8165d55bed64711da5639d103d857cbca33d6278dc6a32eda4bf366ba6b
SHA512

3f37697186eb3bce76a211a507c243388b4ed552519a5f35ff3bc7d7e1bf2f866a400f59271a8b7a7203dfada1de7c90e551565050872580c3b102df0579cd68
SSDEEP

24576:b1dlZo5hVUBu+6mYLfV9bLUzrFy7PE6ZFkj7cyraDOGUBJzzqMOmsWpWiMOQuYn:b1dlZohVUs+uR9HUzrMrZFs7DacBJPqd

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
928	222222.exe
2560	222222.exe
2868	skype-setup (2).exe

Loads dropped DLL 2 IoCs

pid	Process
2868	skype-setup (2).exe
2868	skype-setup (2).exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000122c4-41.dat	upx
behavioral1/memory/2868-42-0x0000000000400000-0x00000000006A1000-memory.dmp	upx
behavioral1/memory/2868-66-0x0000000000400000-0x00000000006A1000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 2560	928	222222.exe	30

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\222222.exe	3b1b7509203fc16f43d4791fb302a20c.exe
File created	C:\Windows\skype-setup (2).exe	3b1b7509203fc16f43d4791fb302a20c.exe
File opened for modification	C:\Windows\	3b1b7509203fc16f43d4791fb302a20c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	222222.exe
2560	222222.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	skype-setup (2).exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	222222.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 928	2968	3b1b7509203fc16f43d4791fb302a20c.exe	28
PID 2968 wrote to memory of 928	2968	3b1b7509203fc16f43d4791fb302a20c.exe	28
PID 2968 wrote to memory of 928	2968	3b1b7509203fc16f43d4791fb302a20c.exe	28
PID 2968 wrote to memory of 928	2968	3b1b7509203fc16f43d4791fb302a20c.exe	28
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 928 wrote to memory of 2560	928	222222.exe	30
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2968 wrote to memory of 2868	2968	3b1b7509203fc16f43d4791fb302a20c.exe	29
PID 2560 wrote to memory of 1344	2560	222222.exe	6
PID 2560 wrote to memory of 1344	2560	222222.exe	6
PID 2560 wrote to memory of 1344	2560	222222.exe	6
PID 2560 wrote to memory of 1344	2560	222222.exe	6

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\3b1b7509203fc16f43d4791fb302a20c.exe
  "C:\Users\Admin\AppData\Local\Temp\3b1b7509203fc16f43d4791fb302a20c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\windows\222222.exe
    "C:\windows\222222.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\windows\222222.exe
      "C:\windows\222222.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2560
- - C:\Windows\skype-setup (2).exe
    "C:\Windows\skype-setup (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
202B

MD5
b6d247c51e495c3a66f7441d42fe0829

SHA1
ee7e5659fe6f06fd3c3a1e9b3ee995cd8d85e64e

SHA256
e9fe9d3b2974c7cb49e805de51d79e658854f2cf06b2b06b81c34438cb71a1c9

SHA512
13eaa9f2e8a3ddce7a0f99d70b7b2b32d5044841ed701f5d72bb6aa56f6ae8a4cef6c850c7db11371c064ea34d9e323bee0475d7460e1abe68a847a5227f5b67

Download Submit
C:\Windows\222222.exe

Filesize
111KB

MD5
bb7d91063363c2b5c94563113a1540cf

SHA1
09659d0c6ad3485ba2e8ff4b02f8441a15bd1ff3

SHA256
d231d7a9c58d82faec07357c57a5670abcc33dd1e50f8767a20e63f856cdb3eb

SHA512
35cc1c72463d13e17f440d56cc0af1c9de7b27f50a6930afc37cb36219e42ceca7ab715e5afc26ba2fbc4d03f2be45531573d91fdffad6c4ff6bec51550370cb

Download Submit
C:\Windows\222222.exe

Filesize
408KB

MD5
686882a5327b724b0fc264411f5dcc3d

SHA1
d58ec9129ead6ce3297258a11b0a9e52ba6f6ea7

SHA256
bf0033becfeb56a3c839de1a81d53cb462a9b8383577b4c3c488a062b096712e

SHA512
70e1e56090429f9ec42f24b9d71ac348eb42bc291bd3271687837e1a0433f32c28d3e1caabb0a3b77ae8151d16911295e739673a1ddd606709ef306a31852d51

Download Submit
C:\Windows\skype-setup (2).exe

Filesize
331KB

MD5
2b1d0df30bd62c799c2f8b22e4441f1a

SHA1
926a8f920d6cfd5806a955660f771109ab37ffd8

SHA256
f5f8dc188e679bfcb1979ec8cef2a0420c0e7fac2f24ef6447b07efbd90c4429

SHA512
ab665a081147d09169145aeffb2002bd08837e042bc5d93b4fa50a14a8dcc13c75ce2b362ddae111a45f41f2f55bd1c60f22cecd707514d4628017979b17fea4

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
62KB

MD5
82331d322adf2d0d07363549012f7104

SHA1
b423195a39b3e91978d8ebfe8a23d40cffd561f6

SHA256
e1b7b081a51ce54a27b1b0bdf8c661e956ec3ae32d6c547c21c49b4e914b27bb

SHA512
b7392a74c981828c309e111181e9e10dc7e252e6bb821e631cc93ba789db58aee145416ae453e710601c6cb839299b304b2166f1950155dd73b10c798a746160

Download Submit
\Users\Admin\AppData\Local\Temp\gtapi.dll

Filesize
73KB

MD5
64f15c1e67d305bf5522ece465019b50

SHA1
c54d95b98dd0f32adccb46e1030d13ca81ea9aae

SHA256
bdc0326c2864498243657cc2c76d31816c208f5b159f0991b3698f093cf64619

SHA512
74710ce2f6473b61176c31a180c973b0ad39b6159772de13eb3fd9f0c40864884687ee47bd9e67c6667702f7a8c02c2f5f79e0e19a2a3d6b369e7246a03fb8c6

Download Submit
memory/928-28-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/928-25-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/928-35-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1344-55-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1344-51-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2560-36-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/2560-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2560-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2560-54-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2560-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2560-65-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/2868-42-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/2868-43-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-66-0x0000000000400000-0x00000000006A1000-memory.dmp

Filesize
2.6MB

Download
memory/2868-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2968-20-0x0000000003680000-0x0000000003748000-memory.dmp

Filesize
800KB

Download
memory/2968-26-0x0000000003680000-0x0000000003748000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing