f9934e8e4104400baacd0b31891c3df7557a3283a443804c3cf6c43d3e378510

General

Target

0ffbcee06e2f5040d464bcff95cd4d60.exe
Size

2.3MB
MD5

0ffbcee06e2f5040d464bcff95cd4d60
SHA1

ae3c65c54c602255359ba660a83545bcd94bda7a
SHA256

f9934e8e4104400baacd0b31891c3df7557a3283a443804c3cf6c43d3e378510
SHA512

631b9d251ed9477683e3406083cbe1fc27e0597f00788b7a127d2192bc727ca8b9cf5bc63ce6f6694710d7a7b254ce6fcb9b729e33472a62644e8c433be705ff
SSDEEP

49152:kuzFZ/0rAkC2Ct4BUZ3xu+JOkCw+VGtdrHJeKvgy:k+FerZC2CpZ3xu+BQSdjvz

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2308	svchost.exe
2168	0ffbcee06e2f5040d464bcff95cd4d60.exe
2084	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	svchost.exe
2308	svchost.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000148b8-10.dat	upx
behavioral1/files/0x00090000000148b8-14.dat	upx
behavioral1/files/0x00090000000148b8-16.dat	upx
behavioral1/files/0x00090000000148b8-12.dat	upx
behavioral1/files/0x00090000000148b8-22.dat	upx
behavioral1/memory/2168-19-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-260-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-262-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-264-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-266-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-270-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-272-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-274-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-276-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-280-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-282-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-284-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-286-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-288-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2168-290-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	0ffbcee06e2f5040d464bcff95cd4d60.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2168	0ffbcee06e2f5040d464bcff95cd4d60.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2308	1644	0ffbcee06e2f5040d464bcff95cd4d60.exe	28
PID 1644 wrote to memory of 2308	1644	0ffbcee06e2f5040d464bcff95cd4d60.exe	28
PID 1644 wrote to memory of 2308	1644	0ffbcee06e2f5040d464bcff95cd4d60.exe	28
PID 1644 wrote to memory of 2308	1644	0ffbcee06e2f5040d464bcff95cd4d60.exe	28
PID 2308 wrote to memory of 2168	2308	svchost.exe	29
PID 2308 wrote to memory of 2168	2308	svchost.exe	29
PID 2308 wrote to memory of 2168	2308	svchost.exe	29
PID 2308 wrote to memory of 2168	2308	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe
"C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe
    "C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2168

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe

Filesize
605KB

MD5
38cf54658d689b2a62e5c8b571e65133

SHA1
e5d9891e06eb4d79b24be1d4f610c311add3648c

SHA256
6de13f4d2ce17a7a37b7172af9c88afd90e4e2dd3d8a40b6505423ec8884e0d5

SHA512
bd164612883e7258ce2d12c74f0374cc44d6e0d2528044f9ece116eb677c2063c1f0d5895a8fb8b0041b8f0b078d1a8ab2af91d6fa1b12b90934ba6db74ce986

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe

Filesize
577KB

MD5
69d5aa1280dccb106cf2269b6ecca973

SHA1
c9f3e695035c322b6618f0e7ca1d5a1725ff4d6c

SHA256
4bd14a558696972631a907825adf7bad59a16ec3addacddf0c7293dd710d4060

SHA512
724a80e8667bb7b93152e06cee935e9a26eba529013f12c229a53dfe92236ea34bab42d6610f7ddb59805f4c1c9687ef4427eb8d4c29f382e8c30a5403779f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe

Filesize
92KB

MD5
73f097b633a02574fa1c6213ed51706b

SHA1
ba53968702f24093f9c22f29a8d02e175024a9ba

SHA256
75ed1fd20d1c420813e94b35984e02ac6acf3f2da6f83ee78af7e52e71c5a542

SHA512
75c11ad573ab20b445597df92762efaf0f72e5d5cab4889ebf35b76021f00db1b889eb24866911c7d414d470389fa7c44ada37318bef2f5131e9d47f36275b47

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe

Filesize
193KB

MD5
69b64d3bc864b9a23ad34a402d81b0fe

SHA1
871fc7d7b856d09eb3a933f71abfdd285166e259

SHA256
57f9d1775e3662a54579005f5923141dd6b567041a977ac1cfaf5cd1a5439110

SHA512
0d90ae55adb25dd1bf711c4c377cd6f33d79f8b30defcdf98954a7e02f99266018bc7058b0c41582089fd5071ef5f91102f34107661da7dc844ea11487c5b0c9

Download Submit
\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60.exe

Filesize
678KB

MD5
6d7ffb4aad849f763cd46f7c6638ce7f

SHA1
cc16ff23d4e11cfd253ad563781634b441439db7

SHA256
860b4fdb9953d2dc810a13cb1d7aa60699e3e607b4962618aad9c7bb654adf17

SHA512
f5ee7b80aad8f863f0266c60abe5f81cce234d82de430a0daf11ddedef6f8336200b301b73537d179fd25a3b0529dd5bed8c13dd52cc0a5d710cf8dbb5a04073

Download Submit
memory/1644-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2084-261-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2084-285-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2084-283-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2168-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-290-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-272-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-282-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2168-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2308-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2308-18-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2308-17-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing