a00954882e678c7ef327523290102ecc25f6717fc8e73dd65adc206158d70665

General

Target

26d5136c8467051fe365316dbc7e96ba.exe
Size

1003KB
MD5

26d5136c8467051fe365316dbc7e96ba
SHA1

9d5c0be5778cdc090d7d9123b874a319ed268c82
SHA256

a00954882e678c7ef327523290102ecc25f6717fc8e73dd65adc206158d70665
SHA512

c8a5fcbdf68a5893a7cbf635fc60dcdf94c0b2b9aada23a6e4c9dc83582ecad72e1fda00f2446ab207111a69e74b3cc8f51af3614c2f721534b3f5f7ead53b9a
SSDEEP

24576:pSkzx6xEYJiSEsGQoadai7D3uITjIFOxo53ApIj:pSkzxLYtEsGQ7ai7D3xTgOxYwpK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2332	26d5136c8467051fe365316dbc7e96ba.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	26d5136c8467051fe365316dbc7e96ba.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	26d5136c8467051fe365316dbc7e96ba.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d000000012251-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2016	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	26d5136c8467051fe365316dbc7e96ba.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2140	26d5136c8467051fe365316dbc7e96ba.exe
2332	26d5136c8467051fe365316dbc7e96ba.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2332	2140	26d5136c8467051fe365316dbc7e96ba.exe	17
PID 2140 wrote to memory of 2332	2140	26d5136c8467051fe365316dbc7e96ba.exe	17
PID 2140 wrote to memory of 2332	2140	26d5136c8467051fe365316dbc7e96ba.exe	17
PID 2140 wrote to memory of 2332	2140	26d5136c8467051fe365316dbc7e96ba.exe	17
PID 2332 wrote to memory of 2016	2332	26d5136c8467051fe365316dbc7e96ba.exe	19
PID 2332 wrote to memory of 2016	2332	26d5136c8467051fe365316dbc7e96ba.exe	19
PID 2332 wrote to memory of 2016	2332	26d5136c8467051fe365316dbc7e96ba.exe	19
PID 2332 wrote to memory of 2016	2332	26d5136c8467051fe365316dbc7e96ba.exe	19
PID 2332 wrote to memory of 2856	2332	26d5136c8467051fe365316dbc7e96ba.exe	21
PID 2332 wrote to memory of 2856	2332	26d5136c8467051fe365316dbc7e96ba.exe	21
PID 2332 wrote to memory of 2856	2332	26d5136c8467051fe365316dbc7e96ba.exe	21
PID 2332 wrote to memory of 2856	2332	26d5136c8467051fe365316dbc7e96ba.exe	21
PID 2856 wrote to memory of 2896	2856	cmd.exe	22
PID 2856 wrote to memory of 2896	2856	cmd.exe	22
PID 2856 wrote to memory of 2896	2856	cmd.exe	22
PID 2856 wrote to memory of 2896	2856	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\26d5136c8467051fe365316dbc7e96ba.exe
"C:\Users\Admin\AppData\Local\Temp\26d5136c8467051fe365316dbc7e96ba.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\26d5136c8467051fe365316dbc7e96ba.exe
  C:\Users\Admin\AppData\Local\Temp\26d5136c8467051fe365316dbc7e96ba.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\26d5136c8467051fe365316dbc7e96ba.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\UHDHSjB.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN U5Z8sQiHf24d
      4⤵
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26d5136c8467051fe365316dbc7e96ba.exe

Filesize
1003KB

MD5
12c05bde62409bb6212fe876affa7d6b

SHA1
496a6f0c68059a12c3c325e4e091b9dd64844e3d

SHA256
db9936e9fcbc496811bae4738593190adc02c51cbc09ca0da41ede90d7450f19

SHA512
c1e7386325dc36e326dfec120d6d2b69e8f535b0b23e3a66a28dfa3a304ac3afeeb716816ee09555bd36b25d3c1f10de03aef6314aa61751e3d5bafecabeeabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHDHSjB.xml

Filesize
1KB

MD5
9ceac302f261db766107b6e4707acd55

SHA1
c54f4a7ec99e3f82c92ce6c794c81a0d564df075

SHA256
ddca2bb56aa0d6d0dd97c18904af917763a37a955af6a61cd0b11aed7d7dcbcb

SHA512
69e1cfdc4c2df8f8e7c8f543f8f36e969de79a722cf5327cd4a350884e62a2efb7a372d9aaaee61fad52ad59fa05374e10cca2ff9992a3179551951008b6fc91

Download Submit
memory/2140-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-19-0x0000000023010000-0x000000002326C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-2-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2140-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2140-54-0x0000000023010000-0x000000002326C000-memory.dmp

Filesize
2.4MB

Download
memory/2332-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2332-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2332-26-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2332-18-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2332-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads