e75d09564be6fba800f44081887ef8aa7ad77a44178569f40fb032a4d6a70790

General

Target

6f444b3df4316b1818ccc1512ba5186c.exe
Size

1.9MB
MD5

6f444b3df4316b1818ccc1512ba5186c
SHA1

319504f4ffc208b7e9a92ae7e63ceafc2f2e6e64
SHA256

e75d09564be6fba800f44081887ef8aa7ad77a44178569f40fb032a4d6a70790
SHA512

f801d4f99fb8fcb146c2faf3a4a385bd292b053bdd0b58f41b88ae47c4936506e826d542082667f350cfe3d273f8d3e0988fdbb4b5bf4e451700b15cf6f7a7e2
SSDEEP

49152:DVyOSVfk2xuQxGxrczS+LD+sH5oiyrQvTexEJWavcEOgs:DVyOSS2xs3+LpZoLrQvTexEhts

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	dchs_setup_spr.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	6f444b3df4316b1818ccc1512ba5186c.exe
3020	dchs_setup_spr.exe
3020	dchs_setup_spr.exe
3020	dchs_setup_spr.exe
3020	dchs_setup_spr.exe
3020	dchs_setup_spr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012281-3.dat	upx
behavioral1/memory/2648-5-0x00000000025F0000-0x0000000002646000-memory.dmp	upx
behavioral1/memory/3020-9-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/files/0x0006000000016c24-17.dat	upx
behavioral1/memory/3020-58-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	dchs_setup_spr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	6f444b3df4316b1818ccc1512ba5186c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28
PID 2648 wrote to memory of 3020	2648	6f444b3df4316b1818ccc1512ba5186c.exe	28

C:\Users\Admin\AppData\Local\Temp\6f444b3df4316b1818ccc1512ba5186c.exe
"C:\Users\Admin\AppData\Local\Temp\6f444b3df4316b1818ccc1512ba5186c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\dchs_setup_spr.exe
  "C:\Users\Admin\AppData\Local\Temp\dchs_setup_spr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\1DR4SG0G\Resume.exe

Filesize
121KB

MD5
0080acc7c9f5f1676263fca82a692c5f

SHA1
808d2271b5a47f18f1dbed639448d9f8b7ddca01

SHA256
62d27861426ac776c5506e44f280310dd73f844ae5f98df333d3513989eace8b

SHA512
0e3c719c92fd780237d3eb2b8f42be10d5cd274116ae1bbe74eef8d5010848070fd2c10fad997258c7b23040cf2d77d6009d6f60164e5c6527624512cceab84b

Download Submit
\Temp\1DR4SG0G\dchs_setup_spr\plugins\0\StdUI.dll

Filesize
147KB

MD5
0ef0df3c28f135fa78eb9dfcf1b0499e

SHA1
ca21f49137267b3edc8f5aae86bec80f43cd4890

SHA256
8d987a52990bf4ea755240b7a1ea7f73a16b1fd67f3e91fc21e87a4f7d443546

SHA512
26bd1e5b0996a6b653b5456e361fa373b0b0505536bb9b8095b1f1389b244810aa51513be2af1585408a0f151db2cadbb65abc02e64b8ca5e8b2e6c5d502746b

Download Submit
\Temp\1DR4SG0G\unpack.dll

Filesize
34KB

MD5
97bb07c04a2f3a0dace5aff04d305455

SHA1
2a966dfb6463a5c26ffb3a247dc9281bb57d25cf

SHA256
2adc86ef09b5aea46bc3ee88d1740760b3ce6ae5fa92fb6eceb6efc1e6c942d9

SHA512
9b00d6c26dfa946b78f73192c78edd6ae6027c377406f8e57089db8426b9664c972c77eb5b998430d9ab99c750b47d8e18203b737afcedec9a9dd09404c07c9f

Download Submit
\Users\Admin\AppData\Local\Temp\dchs_setup_spr.exe

Filesize
1.9MB

MD5
46892c172beca199d779fda7200f06a2

SHA1
6daa4443a6c9a1754b5174739c8c464380972484

SHA256
467340b795f66055848fa20604d8378676d8c188f4f71e68844b918609199c9d

SHA512
7b0c6bfae9d4d5bbb03520cd1bde03676f097ddb2e035479adc57a26850bb0821a2af38b9e58f5fa1e525fe57b9ec9b10b51d613c40b62dd00cbdff6c4e8e98b

Download Submit
memory/2648-5-0x00000000025F0000-0x0000000002646000-memory.dmp

Filesize
344KB

Download
memory/2648-60-0x00000000025F0000-0x0000000002646000-memory.dmp

Filesize
344KB

Download
memory/3020-13-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/3020-14-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/3020-15-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/3020-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3020-55-0x00000000028B0000-0x00000000028D9000-memory.dmp

Filesize
164KB

Download
memory/3020-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3020-59-0x00000000028B0000-0x00000000028D9000-memory.dmp

Filesize
164KB

Download
memory/3020-61-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing