4a347fa219ab56ae1db478571d683b05dc98b17e0b40f28df76449386aceaf8a

General

Target

4d33a4aefbdb53baac6fda5b1173d4c4.exe
Size

47KB
MD5

4d33a4aefbdb53baac6fda5b1173d4c4
SHA1

2cce90413d217e29809da68242e49d19e91dab58
SHA256

4a347fa219ab56ae1db478571d683b05dc98b17e0b40f28df76449386aceaf8a
SHA512

3fdcaf5490d16c1c82c896b83025a979cb8971865602f490e358413af03fb6e5cd7dd0ee84262b1e8dd1e521dae9542c51c965bed81f4084d9c788f2cc2697d8
SSDEEP

768:oSpal4JjggmFYb1KIMULgxN/B1kuyzhEbtRR0YnjUTBdvzzKC:JslEmqb1TMqgPBA2b/3UfzzKC

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2300	rundll32.exe
2884	rundll32.exe
2664	rundll32.exe
2300	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-6-0x0000000000400000-0x000000000061F000-memory.dmp	upx
behavioral1/memory/2068-7-0x0000000000400000-0x000000000061F000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd008.ocx	4d33a4aefbdb53baac6fda5b1173d4c4.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\whh34002.ocx	4d33a4aefbdb53baac6fda5b1173d4c4.exe
File opened for modification	C:\Program Files\Common Files\whh34002.ocx	4d33a4aefbdb53baac6fda5b1173d4c4.exe
File created	C:\Program Files\Common Files\0F77AD8Ece.dll	4d33a4aefbdb53baac6fda5b1173d4c4.exe
File opened for modification	C:\Program Files\Common Files\0F77AD8Ece.dll	4d33a4aefbdb53baac6fda5b1173d4c4.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2664	rundll32.exe
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2664	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2300	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	29
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2664	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	30
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31
PID 2068 wrote to memory of 2884	2068	4d33a4aefbdb53baac6fda5b1173d4c4.exe	31

C:\Users\Admin\AppData\Local\Temp\4d33a4aefbdb53baac6fda5b1173d4c4.exe
"C:\Users\Admin\AppData\Local\Temp\4d33a4aefbdb53baac6fda5b1173d4c4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd008.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:2300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0F77AD8Ece.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh34002.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\4d33a4aefbdb53baac6fda5b1173d4c4.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\0F77AD8Ece.dll

Filesize
10KB

MD5
f1f49fb85ab029ad86c02ebecb892b12

SHA1
664a602f8e843218c1158571714cd0adee1da939

SHA256
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13

SHA512
600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673

Download Submit
\Program Files\Common Files\whh34002.ocx

Filesize
65KB

MD5
dc20ab5266e68f5ca2a8ee4adbcc58a6

SHA1
5e77eb576f62e113c68f142122aa580783fda955

SHA256
742e7f3da406d861712b44caeac50b6b293672920fa133e4d7c5509694630cdf

SHA512
668182d2fb2d566aed3cf452174ed281e2a36c21f61281aaef392a5ba6f9edf86b977535ce79d56b5c3935b39e2cc06167be7608d28d7fd18e657d2db4215205

Download Submit
\Windows\SysWOW64\whhfd008.ocx

Filesize
14KB

MD5
731659d09654891912ac223e20cd10ab

SHA1
13cee04adc7b09ef1c0c6b9abc02d0c7bc02a071

SHA256
672639ce00081bdd6b6ee69e1bc816d0b353ed9713b5a21bac6009907daf3d3b

SHA512
e2b63a180ff6a9ef523f21a9afe9f71f612f617fbab5b791f763c8bccab14d8cb1986729fadba4bc5f29fe9813766bcb88168018f8c6571ec72efc69639f1116

Download Submit
memory/2068-6-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2068-7-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2300-21-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2300-24-0x00000000020D0000-0x00000000022E5000-memory.dmp

Filesize
2.1MB

Download
memory/2300-25-0x00000000020D0000-0x00000000022E5000-memory.dmp

Filesize
2.1MB

Download
memory/2664-20-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2664-23-0x0000000000960000-0x0000000000B75000-memory.dmp

Filesize
2.1MB

Download
memory/2664-26-0x0000000000960000-0x0000000000B75000-memory.dmp

Filesize
2.1MB

Download
memory/2884-22-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing