3d27e814116e5659f00c28e1cc0908d3fcf690a629565db910090e7c9f57299e

General

Target

004fd0b808d32e4cd57b86dfd6888cf7.exe
Size

22.4MB
MD5

004fd0b808d32e4cd57b86dfd6888cf7
SHA1

54cc6cd80fe2cd825062d138c923540a40e66a61
SHA256

3d27e814116e5659f00c28e1cc0908d3fcf690a629565db910090e7c9f57299e
SHA512

e7dc153185eedcf36580b2544212a1276ba2d901554fb8ee4daead2db8874303d2ba09cc43ed8a689eaecdbc657dab2f68b5dd2ea8a460a2f7e0558dcb06cd60
SSDEEP

49152:c3+i9PkYByX4+i9PkYByX4+i9PkYByX4+i9PkYByX4+i9PkYByX4+i9PkYByX4+7:f

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	vxrepai.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3052-39-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3052-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-57-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-58-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-59-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-63-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-65-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3700-70-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\klcxxiw\klcxxiw\fmbpela\m.ini	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\klcxxiw\klcxxiw\fmbpela\vxrepai.exe	004fd0b808d32e4cd57b86dfd6888cf7.exe
File opened for modification	C:\Windows\SysWOW64\klcxxiw\klcxxiw\fmbpela\vxrepai.exe	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\lcxxiwk\lcxxiwk.exe	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\Help\1.klcxxiw	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\Help\2.klcxxiw	004fd0b808d32e4cd57b86dfd6888cf7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\klcxxiw.hlp	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\2.ini	004fd0b808d32e4cd57b86dfd6888cf7.exe
File opened for modification	C:\Windows\	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe
3700	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3052	3700	004fd0b808d32e4cd57b86dfd6888cf7.exe	97
PID 3700 wrote to memory of 3052	3700	004fd0b808d32e4cd57b86dfd6888cf7.exe	97
PID 3700 wrote to memory of 3052	3700	004fd0b808d32e4cd57b86dfd6888cf7.exe	97
PID 3052 wrote to memory of 3576	3052	vxrepai.exe	98
PID 3052 wrote to memory of 3576	3052	vxrepai.exe	98
PID 3052 wrote to memory of 3576	3052	vxrepai.exe	98

C:\Users\Admin\AppData\Local\Temp\004fd0b808d32e4cd57b86dfd6888cf7.exe
"C:\Users\Admin\AppData\Local\Temp\004fd0b808d32e4cd57b86dfd6888cf7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\klcxxiw\klcxxiw\fmbpela\vxrepai.exe
  C:\Windows\system32\klcxxiw\klcxxiw\fmbpela\vxrepai.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:3576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

F:\RECYCLER\S-1-5-18\Dc8\lcxxiwk\lcxxiwk009.IMD

Filesize
2.2MB

MD5
cc1742ef0a0b7fabe87129152b5a77f0

SHA1
2f9853cc37478cb925b610da4a10cd9816970588

SHA256
f1e35f4fa11d129090a00fe9827195bd9a0c8a16e5f55f742175f05adc7e35c3

SHA512
1ec4e411ea9bdb6c1bf8e5e33a216b236e2d6577ac1a972b09d5db7c21372038c789aac552804ec7a71b68b0f181b1ab2c34a2a8575bc52d8068f2e27f98a633

Download Submit
memory/3052-39-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3052-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-57-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-58-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-59-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-63-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-70-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing