a30998e549f12ff75c1e8dd015a531218ee54d5f97486824a9adbf6392b9d175

General

Target

372377963f465b8328cfb6b4bf04c000.exe
Size

1.6MB
MD5

372377963f465b8328cfb6b4bf04c000
SHA1

5fb8b55ab82bac4e376611e5be1dfea8e42370ea
SHA256

a30998e549f12ff75c1e8dd015a531218ee54d5f97486824a9adbf6392b9d175
SHA512

12e4ce6508051ef9ff5d84e7688d51edeebfe414813c2a109b84369fc4aaf875c79915ecf817f1a4e605a5fe439f42e0774bd8cb09f297afe6673bf7e4ed3f7d
SSDEEP

49152:U2p9WDrI24K2Vop4cakLz0XWzJy581Sa3cakLz0O:vQrI24lVrcakcmzU581lcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2488	372377963f465b8328cfb6b4bf04c000.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	372377963f465b8328cfb6b4bf04c000.exe

Loads dropped DLL 1 IoCs

pid	Process
2428	372377963f465b8328cfb6b4bf04c000.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0003000000004ed5-11.dat	upx
behavioral1/files/0x0003000000004ed5-17.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1972	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2428	372377963f465b8328cfb6b4bf04c000.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2428	372377963f465b8328cfb6b4bf04c000.exe
2488	372377963f465b8328cfb6b4bf04c000.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2488	2428	372377963f465b8328cfb6b4bf04c000.exe	30
PID 2428 wrote to memory of 2488	2428	372377963f465b8328cfb6b4bf04c000.exe	30
PID 2428 wrote to memory of 2488	2428	372377963f465b8328cfb6b4bf04c000.exe	30
PID 2428 wrote to memory of 2488	2428	372377963f465b8328cfb6b4bf04c000.exe	30
PID 2488 wrote to memory of 1972	2488	372377963f465b8328cfb6b4bf04c000.exe	31
PID 2488 wrote to memory of 1972	2488	372377963f465b8328cfb6b4bf04c000.exe	31
PID 2488 wrote to memory of 1972	2488	372377963f465b8328cfb6b4bf04c000.exe	31
PID 2488 wrote to memory of 1972	2488	372377963f465b8328cfb6b4bf04c000.exe	31
PID 2488 wrote to memory of 2276	2488	372377963f465b8328cfb6b4bf04c000.exe	33
PID 2488 wrote to memory of 2276	2488	372377963f465b8328cfb6b4bf04c000.exe	33
PID 2488 wrote to memory of 2276	2488	372377963f465b8328cfb6b4bf04c000.exe	33
PID 2488 wrote to memory of 2276	2488	372377963f465b8328cfb6b4bf04c000.exe	33
PID 2276 wrote to memory of 2076	2276	cmd.exe	35
PID 2276 wrote to memory of 2076	2276	cmd.exe	35
PID 2276 wrote to memory of 2076	2276	cmd.exe	35
PID 2276 wrote to memory of 2076	2276	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe
"C:\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe
  C:\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe" /TN m8v9k5kD0c8e /F
    3⤵
    - Creates scheduled task(s)
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN m8v9k5kD0c8e > C:\Users\Admin\AppData\Local\Temp\oWcgYtI.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN m8v9k5kD0c8e
      4⤵
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe

Filesize
171KB

MD5
71b2021125310ec81acf94cc19bf6ebb

SHA1
f71efdffffc9a9dcfbfefbd3e193739efe4ccdee

SHA256
400209b3aae087e5c8f6d4541320cebd6a27cf328abeccf0a18ad5fc2ed2f480

SHA512
e5009af6db550565f1b1e9d01850cbed28af31e88b5a27c91ba5d9b95962f11b755601882e0e82a6fc7c577fe1c6eeb3ddc50ec85cede5ffd91723a400abe458

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWcgYtI.xml

Filesize
1KB

MD5
a819373faee4f43d883dd9d2c598b654

SHA1
a564a67a1c42f41b67e98adfaeed48e925986831

SHA256
685dd440d74723c3653a4a3748bd955685d8d42ccc23521ea59c5360ead81432

SHA512
018e851249609217194e5239b594a665ef22f41ef15f6e4ff6ab41b34dde7a790c63abf1ba02c7d6f28aa35b35958c02e093d7add0b22892667d8c540296ed92

Download Submit
\Users\Admin\AppData\Local\Temp\372377963f465b8328cfb6b4bf04c000.exe

Filesize
77KB

MD5
495df835e91b1dc3c35c5fca2ca97e0a

SHA1
a96d111b495e635a40f327bd409dfa1f1257b9d9

SHA256
f2fc8704ee6b33b801c0d0db86d4fd7e7006cff025a96409e6b7914a055c2d33

SHA512
31163eb28b4eb8ec45bf398692c26814acceb9b09037756ad2adb63d84aab1314366646cb9199c23c5ba555980e751960a4076622a058b6c94a4fe3f8dfc01cc

Download Submit
memory/2428-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2428-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2428-6-0x0000000000280000-0x00000000002FE000-memory.dmp

Filesize
504KB

Download
memory/2428-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2428-16-0x0000000023190000-0x00000000233EC000-memory.dmp

Filesize
2.4MB

Download
memory/2488-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-31-0x00000000002C0000-0x000000000032B000-memory.dmp

Filesize
428KB

Download
memory/2488-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2488-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-22-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads