5e8f394af3a64f6668572813fc50b601ff5db528983a5f8b156745eb9c1fd3e1

General

Target

413a6e0e049280673465fda8038db365.exe
Size

1003KB
MD5

413a6e0e049280673465fda8038db365
SHA1

215f19d2f60888e3114468528cc60f5064f33fc7
SHA256

5e8f394af3a64f6668572813fc50b601ff5db528983a5f8b156745eb9c1fd3e1
SHA512

97baf478e22de2e947b7b7de1779f3f3ebc6b92b8d0b70f638821c8b3309e4d3e131d7f4d1913e9ac311dfb10a0fac43444f1d33cbddd8b378e3e9c43a6f0c30
SSDEEP

24576:zGzVb4fUiI36IDevIcH5f+64JRWFULCD+:zGzVb4fy36IoIcN+9zWFULG+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1244	413a6e0e049280673465fda8038db365.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	413a6e0e049280673465fda8038db365.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	413a6e0e049280673465fda8038db365.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000c000000014b4b-11.dat	upx
behavioral1/files/0x000c000000014b4b-17.dat	upx
behavioral1/memory/3064-16-0x0000000022EB0000-0x000000002310C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2960	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3064	413a6e0e049280673465fda8038db365.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3064	413a6e0e049280673465fda8038db365.exe
1244	413a6e0e049280673465fda8038db365.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1244	3064	413a6e0e049280673465fda8038db365.exe	15
PID 3064 wrote to memory of 1244	3064	413a6e0e049280673465fda8038db365.exe	15
PID 3064 wrote to memory of 1244	3064	413a6e0e049280673465fda8038db365.exe	15
PID 3064 wrote to memory of 1244	3064	413a6e0e049280673465fda8038db365.exe	15
PID 1244 wrote to memory of 2960	1244	413a6e0e049280673465fda8038db365.exe	16
PID 1244 wrote to memory of 2960	1244	413a6e0e049280673465fda8038db365.exe	16
PID 1244 wrote to memory of 2960	1244	413a6e0e049280673465fda8038db365.exe	16
PID 1244 wrote to memory of 2960	1244	413a6e0e049280673465fda8038db365.exe	16
PID 1244 wrote to memory of 2596	1244	413a6e0e049280673465fda8038db365.exe	27
PID 1244 wrote to memory of 2596	1244	413a6e0e049280673465fda8038db365.exe	27
PID 1244 wrote to memory of 2596	1244	413a6e0e049280673465fda8038db365.exe	27
PID 1244 wrote to memory of 2596	1244	413a6e0e049280673465fda8038db365.exe	27
PID 2596 wrote to memory of 2704	2596	cmd.exe	28
PID 2596 wrote to memory of 2704	2596	cmd.exe	28
PID 2596 wrote to memory of 2704	2596	cmd.exe	28
PID 2596 wrote to memory of 2704	2596	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe
C:\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe" /TN Nnb8kaFf43a4 /F
  2⤵
  - Creates scheduled task(s)
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c schtasks.exe /Query /XML /TN Nnb8kaFf43a4 > C:\Users\Admin\AppData\Local\Temp\zLBnzCHqu.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Query /XML /TN Nnb8kaFf43a4
    3⤵
    PID:2704

C:\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe
"C:\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe

Filesize
33KB

MD5
377221ca9b132af24dcaae659edaa621

SHA1
9f7cfad2dec24cd60032a34352b3c35899556a9e

SHA256
c1a86e4e228b42a647a54c1d2c10d4f57c250a30a49c96150ca800eb2b0ed09a

SHA512
1fa90a8d9684861c05cda367bc302cb67b58e3bdfc752d47070b8b3e6e84d9c06cf175e5b48d2e400069149ad6bc38deaefa648cb9fed61dd040db98fe166052

Download Submit
\Users\Admin\AppData\Local\Temp\413a6e0e049280673465fda8038db365.exe

Filesize
89KB

MD5
1bac298d8c9cb398da653dc0f1b16b08

SHA1
20c67e4e3dc61ea27b68819fb65dc52a232ab7a0

SHA256
d0828a20af533a2b9664260d8fa054dd8fb3caf7fff3364082a115ccceafe5e0

SHA512
9909f7e9d60e837ed45efb0d7af45163e1b3699edc919a96d4f0f4bfecbdad3e96180ee7f467900dd1346b795718ff6362e04dfa2b9c51542a34e5a7c7ff40c2

Download Submit
memory/1244-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1244-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1244-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1244-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1244-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-2-0x00000000001D0000-0x000000000024E000-memory.dmp

Filesize
504KB

Download
memory/3064-16-0x0000000022EB0000-0x000000002310C000-memory.dmp

Filesize
2.4MB

Download
memory/3064-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3064-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads