cefdef740c48781321a1d5ea1fb2e13f4b5a2c8858986b2afef44de8af51e8eb

General

Target

0be141f64e70b88b08e6490d01718fa2.exe
Size

16.2MB
MD5

0be141f64e70b88b08e6490d01718fa2
SHA1

9c32e1097013547d26b43470d5f0d862d058c09a
SHA256

cefdef740c48781321a1d5ea1fb2e13f4b5a2c8858986b2afef44de8af51e8eb
SHA512

7075fccf785cf58fb1b9e12099b7cc2bdb9600225aa25b7448011bd81ae9995227be6441231c26abbadc091f0eb29c526367a268bdf60f359a393dea35b2da37
SSDEEP

24576:cVU777777777yplplplplplplplplplpr:cn

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	yhlpoom.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	0be141f64e70b88b08e6490d01718fa2.exe
1052	0be141f64e70b88b08e6490d01718fa2.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/files/0x0006000000016cdc-13.dat	upx
behavioral1/memory/2716-44-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2716-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2580-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/files/0x0006000000016cdc-37.dat	upx
behavioral1/memory/1052-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-70-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-71-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-72-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-73-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-74-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-75-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-76-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-77-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-78-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-79-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-80-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1052-81-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Help\1.wqvyryc	0be141f64e70b88b08e6490d01718fa2.exe
File created	C:\Windows\SysWOW64\Help\2.wqvyryc	0be141f64e70b88b08e6490d01718fa2.exe
File created	C:\Windows\SysWOW64\wqvyryc\wqvyryc\rejkknm\m.ini	0be141f64e70b88b08e6490d01718fa2.exe
File created	C:\Windows\SysWOW64\wqvyryc\wqvyryc\rejkknm\yhlpoom.exe	0be141f64e70b88b08e6490d01718fa2.exe
File opened for modification	C:\Windows\SysWOW64\wqvyryc\wqvyryc\rejkknm\yhlpoom.exe	0be141f64e70b88b08e6490d01718fa2.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\qvyrycw\qvyrycw.exe	0be141f64e70b88b08e6490d01718fa2.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	0be141f64e70b88b08e6490d01718fa2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2580	2716	yhlpoom.exe	28

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\wqvyryc.hlp	0be141f64e70b88b08e6490d01718fa2.exe
File created	C:\Windows\2.ini	0be141f64e70b88b08e6490d01718fa2.exe
File opened for modification	C:\Windows\	0be141f64e70b88b08e6490d01718fa2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1052	0be141f64e70b88b08e6490d01718fa2.exe
1052	0be141f64e70b88b08e6490d01718fa2.exe
1052	0be141f64e70b88b08e6490d01718fa2.exe
1052	0be141f64e70b88b08e6490d01718fa2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	0be141f64e70b88b08e6490d01718fa2.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2716	1052	0be141f64e70b88b08e6490d01718fa2.exe	29
PID 1052 wrote to memory of 2716	1052	0be141f64e70b88b08e6490d01718fa2.exe	29
PID 1052 wrote to memory of 2716	1052	0be141f64e70b88b08e6490d01718fa2.exe	29
PID 1052 wrote to memory of 2716	1052	0be141f64e70b88b08e6490d01718fa2.exe	29
PID 2716 wrote to memory of 2580	2716	yhlpoom.exe	28
PID 2716 wrote to memory of 2580	2716	yhlpoom.exe	28
PID 2716 wrote to memory of 2580	2716	yhlpoom.exe	28
PID 2716 wrote to memory of 2580	2716	yhlpoom.exe	28
PID 2716 wrote to memory of 2580	2716	yhlpoom.exe	28
PID 2716 wrote to memory of 2580	2716	yhlpoom.exe	28

C:\Users\Admin\AppData\Local\Temp\0be141f64e70b88b08e6490d01718fa2.exe
"C:\Users\Admin\AppData\Local\Temp\0be141f64e70b88b08e6490d01718fa2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\wqvyryc\wqvyryc\rejkknm\yhlpoom.exe
  C:\Windows\system32\wqvyryc\wqvyryc\rejkknm\yhlpoom.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Windows\SysWOW64\svchost.exe
svchost.exe -NetworkService
1⤵
PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wqvyryc\wqvyryc\rejkknm\yhlpoom.exe

Filesize
93KB

MD5
f646cfbf4328b17e4f7f6b7988b274b2

SHA1
8b860cc06bbc8bbf72e05081fe137c582d603787

SHA256
127907b1af80c43a48f93dccf282104c2b133de579126d949df4c36c602cfa67

SHA512
6c83145e0d309300c35eb830a3a45321e92f8182da5c7eed66445a8d471ef7b65bde263368411d8d587a5aad65a0ee5f9b0c478fc58d21fddb7a336daf2bade3

Download Submit
\Windows\SysWOW64\wqvyryc\wqvyryc\rejkknm\yhlpoom.exe

Filesize
92KB

MD5
89fe1d73a0cacf3149f6272cd2dafd44

SHA1
3708e24385ed8800304e01b3da097f1fec79ce5b

SHA256
d65b627202b3814056fdd55554e742e0a8b7ed2a1827a66f829eb4392aa39cd5

SHA512
d7c65bab21b48843dc734ab389c1981bcd515af5a4616657fd49e42d491bcf2e402bf304c56c004a2c3e5399497754a79e7f14438f4f17f1fb28d0f81d7d738e

Download Submit
memory/1052-75-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-69-0x0000000001FA0000-0x000000000200D000-memory.dmp

Filesize
436KB

Download
memory/1052-70-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-80-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-79-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-78-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-43-0x0000000001FA0000-0x000000000200D000-memory.dmp

Filesize
436KB

Download
memory/1052-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-42-0x0000000001FA0000-0x000000000200D000-memory.dmp

Filesize
436KB

Download
memory/1052-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-73-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-74-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-77-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1052-76-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2580-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2580-65-0x00000000008F0000-0x00000000008F0000-memory.dmp

Download
memory/2716-44-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2716-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing