1a7d788bd2e04d20872502a8611ef29f6a44ea7cb1ff3223d6acaf5727e599f8

General

Target

43d0675b59acb57e830264d41b79afd7.exe
Size

6.4MB
MD5

43d0675b59acb57e830264d41b79afd7
SHA1

1fd786ec85221cfb055482061be6722eff70f23c
SHA256

1a7d788bd2e04d20872502a8611ef29f6a44ea7cb1ff3223d6acaf5727e599f8
SHA512

63c5a699384a61287ac78a150a7e973a5e3ab152fc2df4df69b4c1c6f9ff3b21610915f2c2712fb196b04e014c88f10f15c43ca6debdea949489a645a240385f
SSDEEP

196608:+E87mg82gdlNGkwhgjldl613kh4zdlNGkwhgjldlcssdlNGkwhgjldl613kh4zdw:+Z7mqixW3e4rxIxW3e4rxM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3304	43d0675b59acb57e830264d41b79afd7.exe

Executes dropped EXE 1 IoCs

pid	Process
3304	43d0675b59acb57e830264d41b79afd7.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3396-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0007000000023207-12.dat	upx

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1020	3304	WerFault.exe	94
4144	3304	WerFault.exe	94
1468	3304	WerFault.exe	94
4880	3304	WerFault.exe	94

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4748	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3396	43d0675b59acb57e830264d41b79afd7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3396	43d0675b59acb57e830264d41b79afd7.exe
3304	43d0675b59acb57e830264d41b79afd7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3304	3396	43d0675b59acb57e830264d41b79afd7.exe	94
PID 3396 wrote to memory of 3304	3396	43d0675b59acb57e830264d41b79afd7.exe	94
PID 3396 wrote to memory of 3304	3396	43d0675b59acb57e830264d41b79afd7.exe	94
PID 3304 wrote to memory of 4748	3304	43d0675b59acb57e830264d41b79afd7.exe	95
PID 3304 wrote to memory of 4748	3304	43d0675b59acb57e830264d41b79afd7.exe	95
PID 3304 wrote to memory of 4748	3304	43d0675b59acb57e830264d41b79afd7.exe	95
PID 3304 wrote to memory of 3252	3304	43d0675b59acb57e830264d41b79afd7.exe	97
PID 3304 wrote to memory of 3252	3304	43d0675b59acb57e830264d41b79afd7.exe	97
PID 3304 wrote to memory of 3252	3304	43d0675b59acb57e830264d41b79afd7.exe	97
PID 3252 wrote to memory of 4520	3252	cmd.exe	99
PID 3252 wrote to memory of 4520	3252	cmd.exe	99
PID 3252 wrote to memory of 4520	3252	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\43d0675b59acb57e830264d41b79afd7.exe
"C:\Users\Admin\AppData\Local\Temp\43d0675b59acb57e830264d41b79afd7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\43d0675b59acb57e830264d41b79afd7.exe
  C:\Users\Admin\AppData\Local\Temp\43d0675b59acb57e830264d41b79afd7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\43d0675b59acb57e830264d41b79afd7.exe" /TN apJZ6MnXc37d /F
    3⤵
    - Creates scheduled task(s)
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN apJZ6MnXc37d > C:\Users\Admin\AppData\Local\Temp\WWQFx.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN apJZ6MnXc37d
      4⤵
      PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 648
    3⤵
    - Program crash
    PID:1020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 736
    3⤵
    - Program crash
    PID:4144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 740
    3⤵
    - Program crash
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 760
    3⤵
    - Program crash
    PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3304 -ip 3304
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3304 -ip 3304
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3304 -ip 3304
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3304 -ip 3304
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3304 -ip 3304
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43d0675b59acb57e830264d41b79afd7.exe

Filesize
116KB

MD5
21c963e7f86d43ee25aa86a2359acb05

SHA1
9bcce6762e8fe748ac7fd7e0b76067675c2fba18

SHA256
5cac7804852e851448f0d64aaa0abfa351a7c9042170d633ea86e6247ca7cbc3

SHA512
1966ab1ddc4f64b64b0c132271ac98692579e04855c0c5954eca103a0b9d42290b2d1f3efd08547561f062c85ba4f7693eca56ec789a555879127be19d92359b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWQFx.xml

Filesize
1KB

MD5
ad1caeab5b3565e6767f6912b2e7a5ed

SHA1
d5c506337d4d8ff17de937a1e4e1866272471dda

SHA256
dcd5c822a2db947bd5e24bc0a7829f25522e220dd8953753636c716fbff042a5

SHA512
daff723e9fd4cd6c5e0fb23b4e893cb24dbccf2b66789c3c231488dfd4041df045eb4b923e84aaa3fe42942713f66b3ca46d001667e6659b0612d214e5c8fa51

Download Submit
memory/3304-15-0x00000000016E0000-0x000000000175E000-memory.dmp

Filesize
504KB

Download
memory/3304-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3304-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3304-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/3304-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3396-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3396-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3396-4-0x0000000001760000-0x00000000017DE000-memory.dmp

Filesize
504KB

Download
memory/3396-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads