830f2783f525b0c13539cd806c9b28db2582173bcadb5dd588221122247e610a

General

Target

15b7421962e1bb199d0fa96d0cccef45.exe
Size

3.9MB
MD5

15b7421962e1bb199d0fa96d0cccef45
SHA1

9a618cf3a855ac1746ade2e4327acfb3521ed3e9
SHA256

830f2783f525b0c13539cd806c9b28db2582173bcadb5dd588221122247e610a
SHA512

06685191b5bb1989cd4d9a511075da866b43696a9fb891e7525cfa597165d3db7b7ef1e38b04ee349b3b7d1166cd23976953b11d8d77f721a3b670a829ae8e9d
SSDEEP

98304:WSh/5K6VA9zyULG+0dKz4DpvA9zyULG+zktKaxWA9zyULG+0dKz4DpvA9zyULG+:dp5KxzLq7ae4zLqCkwax3zLq7ae4zLq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1152	15b7421962e1bb199d0fa96d0cccef45.exe

Executes dropped EXE 1 IoCs

pid	Process
1152	15b7421962e1bb199d0fa96d0cccef45.exe

Loads dropped DLL 1 IoCs

pid	Process
1424	15b7421962e1bb199d0fa96d0cccef45.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1424-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a00000001225b-11.dat	upx
behavioral1/files/0x000a00000001225b-17.dat	upx
behavioral1/memory/1152-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/1424-16-0x00000000236E0000-0x000000002393C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2732	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1424	15b7421962e1bb199d0fa96d0cccef45.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1424	15b7421962e1bb199d0fa96d0cccef45.exe
1152	15b7421962e1bb199d0fa96d0cccef45.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1152	1424	15b7421962e1bb199d0fa96d0cccef45.exe	22
PID 1424 wrote to memory of 1152	1424	15b7421962e1bb199d0fa96d0cccef45.exe	22
PID 1424 wrote to memory of 1152	1424	15b7421962e1bb199d0fa96d0cccef45.exe	22
PID 1424 wrote to memory of 1152	1424	15b7421962e1bb199d0fa96d0cccef45.exe	22
PID 1152 wrote to memory of 2732	1152	15b7421962e1bb199d0fa96d0cccef45.exe	25
PID 1152 wrote to memory of 2732	1152	15b7421962e1bb199d0fa96d0cccef45.exe	25
PID 1152 wrote to memory of 2732	1152	15b7421962e1bb199d0fa96d0cccef45.exe	25
PID 1152 wrote to memory of 2732	1152	15b7421962e1bb199d0fa96d0cccef45.exe	25
PID 1152 wrote to memory of 2700	1152	15b7421962e1bb199d0fa96d0cccef45.exe	33
PID 1152 wrote to memory of 2700	1152	15b7421962e1bb199d0fa96d0cccef45.exe	33
PID 1152 wrote to memory of 2700	1152	15b7421962e1bb199d0fa96d0cccef45.exe	33
PID 1152 wrote to memory of 2700	1152	15b7421962e1bb199d0fa96d0cccef45.exe	33
PID 2700 wrote to memory of 2588	2700	cmd.exe	34
PID 2700 wrote to memory of 2588	2700	cmd.exe	34
PID 2700 wrote to memory of 2588	2700	cmd.exe	34
PID 2700 wrote to memory of 2588	2700	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe
"C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe
  C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe" /TN MXmKXYLpa01b /F
    3⤵
    - Creates scheduled task(s)
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\pgjzMA.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MXmKXYLpa01b
      4⤵
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe

Filesize
73KB

MD5
0636906a95265ae44d5a534f95dc53f0

SHA1
bcec4563523924af389e7975312134611d900a7b

SHA256
6cdbd512d31a7c637bf5ba28ad9a67884128f462b13b4274bbef6cb266e1aa32

SHA512
9c19c77b0654b94eaa9a5ab63ffbb1d19b4c967d4cb984514b989322528875176d71643291626a4fdedabb18a905801172ccc2ed62187d2ae58ee66b3d55e3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgjzMA.xml

Filesize
1KB

MD5
1289e2489febacab8ecba0a6d25428aa

SHA1
da3fdc9eb3b6ec01ccb66217e351420bf3681826

SHA256
14ca38f6d8c498f3aa932143ad1d84d7d64b7c44ca1f42f947f037f6331e0f92

SHA512
4992bea3da3838b4237f04f7e5971d0339ce72e7012afcb41acfd17d77244f4d86248d3c5caf69643495a68fcd7bddc09d623230b81425d36c0582f1f78e4f2c

Download Submit
\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe

Filesize
92KB

MD5
0f82a447f70025a1bf934a7463133e57

SHA1
310d2ba4ea166f456b8b4119d0071f41bbed0bfd

SHA256
7755ecf90fa5e297fbc98aa78b1c21c2464a6171b1b196568f43054615337455

SHA512
9fdf4005989ad5956be3a564709f1c5567797f10e27639b8313b81f5b187a7f518f205c3ceada3e2ec39a014fdb750cb3a96ad81947feb6049d97de87dd5c448

Download Submit
memory/1152-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1152-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1152-21-0x0000000000330000-0x00000000003AE000-memory.dmp

Filesize
504KB

Download
memory/1152-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1152-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1424-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1424-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1424-16-0x00000000236E0000-0x000000002393C000-memory.dmp

Filesize
2.4MB

Download
memory/1424-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1424-3-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads