8172182cc60b3a091cf272b7d3ce41d32d2c97968cfd888b43a1050b42183ba8

General

Target

4c5f8911d8dcc8ee91efdc45eb5eca09.exe
Size

6.6MB
MD5

4c5f8911d8dcc8ee91efdc45eb5eca09
SHA1

9e50dd5ce32015f91ae27a2bd698162d573a7d8e
SHA256

8172182cc60b3a091cf272b7d3ce41d32d2c97968cfd888b43a1050b42183ba8
SHA512

15d7040e351323762cca2471d158b169b46d676011ca9b8718f26b82a6c92853565a77ef185523c76fdce5cdb85fd1ec9713a0efe9acb2cbba56c96d43c30ee1
SSDEEP

98304:fzNY4cYhTqOGFupWnR6h/r1xPszftGzKGTlM+xATUzcZgaM6Fa2IF0TW:rNY4HhTqFup0Y/hxctGzMPXiYFaT0TW

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	FireStarter.exe

Loads dropped DLL 5 IoCs

pid	Process
1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe
1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe
2708	FireStarter.exe
2708	FireStarter.exe
2708	FireStarter.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1680-154-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	FireStarter.exe
2708	FireStarter.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2708	1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	23
PID 1680 wrote to memory of 2708	1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	23
PID 1680 wrote to memory of 2708	1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	23
PID 1680 wrote to memory of 2708	1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	23
PID 1680 wrote to memory of 2708	1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	23
PID 1680 wrote to memory of 2708	1680	4c5f8911d8dcc8ee91efdc45eb5eca09.exe	23

C:\Users\Admin\AppData\Local\Temp\4c5f8911d8dcc8ee91efdc45eb5eca09.exe
"C:\Users\Admin\AppData\Local\Temp\4c5f8911d8dcc8ee91efdc45eb5eca09.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\temp\vefbevgtvv\FireStarter.exe
  C:\Windows\temp\vefbevgtvv\FireStarter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\vefbevgtvv\FireStarter.exe

Filesize
381KB

MD5
bbd5b293f926de7d8ea8878a73d7e336

SHA1
19291e1aded8cb7ce88303c1f4dfad8afd76131b

SHA256
d785168dec29f3c360bcb9963d4c33a8b5b90b21595a72e4991434c1a5086349

SHA512
e226d952594ee971afcf7844e92b092c404938574adffacb2ed4d61d12d9c89a7179c3d0723c7d4ea9741f80ed645b4ec398b3cc785544c143a0f1135df7d018

Download Submit
C:\Windows\Temp\vefbevgtvv\FireStarter.exe

Filesize
92KB

MD5
acafb31af2f7037d79b3ccd532df5381

SHA1
35613bd553637d99aae71dba341f127c5776758a

SHA256
a69a3e02fa3c90035b0c8a0fee6e2fb1994fc45af686bdc7a8b93fb9a84ba4e8

SHA512
05e2129f2de419622bf8f93241a09a7dab1d2ac6be0a943572678d57f3968756c7fb9be8b11425b9671dacc2327d29a2719cc98ce6e1f0f024a414fc291b5ff8

Download Submit
C:\Windows\temp\vefbevgtvv\a6flash.dll

Filesize
68KB

MD5
9dc67d3df57ccab63ed57cddc94a9bf9

SHA1
9f9dfa08ec690fa4c66f5de67255f15c838d60e2

SHA256
ec3bce0df619952edcf5619b82910cf09f9806b1f7ec75400641a776bb9d88e6

SHA512
03e26eb10726c53b449540e316058c86e5cb690acf5ba3c3145b245f81d8aa2bd8ba070415a4959798b9d22dbf7b3b1ccc48337241cba30cd42a9ee26af12de7

Download Submit
\Windows\Temp\vefbevgtvv\CCUtils.dll

Filesize
59KB

MD5
1b911925e4bef0b3773f8cff42aed9f8

SHA1
ce57476734adacd475dc02a86a848b46ee8df5ff

SHA256
07ab97463ae9d99e8128a1fb49a72f40bd0c1edd892a011f962fb4bd098dd6ac

SHA512
641dda055361508b9646317d7e718d47635eaddc468c9fd0c59a350ce3a835584424aff4f76bfb857913f2be42e6b410f27c2cb10bc551b5cdab57555f8bcba1

Download Submit
\Windows\Temp\vefbevgtvv\FireStarter.exe

Filesize
384KB

MD5
39c1b90caef96732093cfa9c4f4e6a90

SHA1
1affbe3135ed9f5a78f111c2d857eb6b16fc0d3d

SHA256
87db6333c8740576dad80948dafc74c3aebbdfcb434ff2e0dcbf16f8d9b617dc

SHA512
276295047ed3e81acb4ae826db12ad728b9af75ec2dd60e1965606824920abd5d54a1dd02c5258e94d728f96296a68e23e803edbc0f31ff3e0f151a1b06a8ae4

Download Submit
\Windows\Temp\vefbevgtvv\FireStarter.exe

Filesize
894KB

MD5
910a47f8a759349fb5875507d6f35d1f

SHA1
73b9f6db6f551896b088f8e4ce9eb36da989599e

SHA256
84bc05f2eba64902323e01a5ae8d3119faafd355556168fd8bd6abf26af76d77

SHA512
c3a534df7e4d7f9321be98cc47f1bf084875ab07e10791af476cebc2142fc6a65ff8a02566f2ed91a9d8f5754475d4cdce06c3adb60ce9bb301bd5e2825bb4fe

Download Submit
memory/1680-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1680-160-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1680-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2708-151-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2708-155-0x0000000000400000-0x00000000009CD000-memory.dmp

Filesize
5.8MB

Download
memory/2708-156-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2708-144-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2708-149-0x00000000009D0000-0x0000000000A28000-memory.dmp

Filesize
352KB

Download
memory/2708-161-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing