35a16a156ed57760d503624ac6b8def2ab5f92f2760e3cd7d4dbee731ea787dc

General

Target

c03ce838f2bba250ac039f9509f7c93e.exe
Size

1.4MB
MD5

c03ce838f2bba250ac039f9509f7c93e
SHA1

28adabeac4ac799a87d8a0557636f71106ef94f1
SHA256

35a16a156ed57760d503624ac6b8def2ab5f92f2760e3cd7d4dbee731ea787dc
SHA512

cc007d96d622a761ce7901b1b2ee21750ec01aacf75ca24ffe92910680baa73a1d9680d915e430849210e34f761cd7f757748050fdff35a0e2b019460e1c09f6
SSDEEP

24576:Y6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6Ed:3Y9UORVOM1jJHzaiape0hsABFRJch6LB

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

1032 test.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2372 cmd.exe

pid	process
1032	test.exe

pid	process
2372	cmd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2640-0-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2828 schtasks.exe

pid	process
2828	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c03ce838f2bba250ac039f9509f7c93e.execmd.exe

description	pid	process	target process
PID 2640 wrote to memory of 2372	2640	c03ce838f2bba250ac039f9509f7c93e.exe	cmd.exe
PID 2640 wrote to memory of 2372	2640	c03ce838f2bba250ac039f9509f7c93e.exe	cmd.exe
PID 2640 wrote to memory of 2372	2640	c03ce838f2bba250ac039f9509f7c93e.exe	cmd.exe
PID 2640 wrote to memory of 2372	2640	c03ce838f2bba250ac039f9509f7c93e.exe	cmd.exe
PID 2372 wrote to memory of 1032	2372	cmd.exe	test.exe
PID 2372 wrote to memory of 1032	2372	cmd.exe	test.exe
PID 2372 wrote to memory of 1032	2372	cmd.exe	test.exe
PID 2372 wrote to memory of 1032	2372	cmd.exe	test.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp"
3⤵
- Creates scheduled task(s)
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\c03ce838f2bba250ac039f9509f7c93e.exe
"C:\Users\Admin\AppData\Local\Temp\c03ce838f2bba250ac039f9509f7c93e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-26-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1032-6-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1032-5-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/1032-7-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1032-8-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1032-9-0x0000000001F80000-0x0000000001FAC000-memory.dmp

Filesize
176KB

Download
memory/2580-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2580-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2640-10-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2640-29-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads