51a531269100f8a0e8ca943531aa7d8bc3e0794d82d715ea1573f539a434f6e1

General

Target

39cacb1e5e036ed43ebbd7737e3d5cfc.exe
Size

846KB
MD5

39cacb1e5e036ed43ebbd7737e3d5cfc
SHA1

4b14d9eb178db7d802b5c9c60e8239bddbc86e9b
SHA256

51a531269100f8a0e8ca943531aa7d8bc3e0794d82d715ea1573f539a434f6e1
SHA512

d2e90c86cb7eba185a2544a1eddac8162c9802dd553fccce6d560df19a612bdeb7d87b3b3a623e758cd9628ab00373b1c73b91512594f70c604bb58f9dca9555
SSDEEP

24576:dgdUqgZSQKh5q1B+EChdWCJ4CsnfZz9Q:daUkD7q1BmahCsnfZhQ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2684	027098.exe
2708	0102D0

Loads dropped DLL 3 IoCs

pid	Process
2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe
2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe
2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-19-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2684-51-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2684-46-0x0000000000050000-0x0000000000090000-memory.dmp	upx
behavioral1/memory/2904-53-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2904-58-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2684	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	28
PID 2904 wrote to memory of 2684	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	28
PID 2904 wrote to memory of 2684	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	28
PID 2904 wrote to memory of 2684	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	28
PID 2904 wrote to memory of 2708	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	29
PID 2904 wrote to memory of 2708	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	29
PID 2904 wrote to memory of 2708	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	29
PID 2904 wrote to memory of 2708	2904	39cacb1e5e036ed43ebbd7737e3d5cfc.exe	29

C:\Users\Admin\AppData\Local\Temp\39cacb1e5e036ed43ebbd7737e3d5cfc.exe
"C:\Users\Admin\AppData\Local\Temp\39cacb1e5e036ed43ebbd7737e3d5cfc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\0259F0\027098.exe
  "C:\Users\Admin\AppData\Roaming\0259F0\027098.exe" -launcher
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\0102D0
  "C:\Users\Admin\AppData\Local\Temp\0102D0"
  2⤵
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0259F0\027098.exe

Filesize
182KB

MD5
038c1e192f7ca16bedac85d9db32daf4

SHA1
9f6a1457c5b95258a9d4551d489e3ae6f8c22d27

SHA256
f1c29c2edbf7e781040e5498c29180d7bc94f5c55ac214565478dcc2571aa79d

SHA512
6fb6cf6851e0676c72cacc8f1be44d4bd28dd244ddf4f18999ef967dfbe4b730872a3e75c61e30bdc6bc587b8b9a17cd98d898dcbf6e7a0481c5d1b9b60cc40c

Download Submit
C:\Users\Admin\AppData\Roaming\0259F0\027098.exe.lnk

Filesize
792B

MD5
fda374da75088337a8db91b4a909a434

SHA1
34a3455a23fefa382c614546a71c7e34e267d63a

SHA256
111a2151b7d65943a621829d2cde3bae31ba533638fbdfdd593236ae26fcf422

SHA512
8378bd7facfdca9deb5681fe182bde90986cc7e4549fa6737367a5cb095f85d573b8c4b06572ca28d12a21544b51755a9963ad17da975048ae25ddd605a090fb

Download Submit
\Users\Admin\AppData\Local\Temp\0102D0

Filesize
664KB

MD5
3f2b2a833aa3461d83d1a5fb958e7ec2

SHA1
3486d8a229c1cfe387a1a2bac0881a4c4dca48ce

SHA256
23bf382662f8b7a695cb37084176423e96668917cd504568901ad0135f592631

SHA512
0cadca322a44149a7092a0e2cff796cdcf49b73c59381bb9169ff2c1ecc2b6a0b4ac9c1b881ab890c4aac0a582d42c332c9fafecaeb3304b38343a9378a35ff0

Download Submit
memory/2684-46-0x0000000000050000-0x0000000000090000-memory.dmp

Filesize
256KB

Download
memory/2684-41-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2684-51-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2684-42-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2904-18-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2904-12-0x0000000000050000-0x0000000000090000-memory.dmp

Filesize
256KB

Download
memory/2904-1-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/2904-2-0x00000000776D0000-0x00000000776D1000-memory.dmp

Filesize
4KB

Download
memory/2904-19-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2904-0-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/2904-53-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2904-54-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/2904-55-0x0000000000050000-0x0000000000090000-memory.dmp

Filesize
256KB

Download
memory/2904-58-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing