0169754271bd32b07ef6d3578c37a842e95d834cb50682e494c52eddd41caf8f

General

Target

47dd4bd199f1685362ab94208fdf1c46.exe
Size

443KB
MD5

47dd4bd199f1685362ab94208fdf1c46
SHA1

a0d7842e93961334457db22f228f94ad748b2e73
SHA256

0169754271bd32b07ef6d3578c37a842e95d834cb50682e494c52eddd41caf8f
SHA512

9d2025bb67e6532f8eabd1bcf3882897685e6df7f11a20898df62b05da7fd62d889f6a42d0eebc148787a8ac3a4c9513faf52bdf7835f993fa1455aaf0f204f2
SSDEEP

6144:2bNacSdAG8sDKnsmJ7mBm/ZMVT5k/AtGRF2hjnXlJpWRnNXa2ea77kWWzxLFn/s5:XcSd1ismVO6+GRCX7K3kNzx9/s+vz3Ql

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3880-70-0x0000000000B50000-0x0000000000B80000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4920	sc.exe
1644	sc.exe

Program crash 1 IoCs

pid	pid_target	Process
4564	3880	WerFault.exe

Runs net.exe

C:\Users\Admin\AppData\Local\Temp\47dd4bd199f1685362ab94208fdf1c46.exe
"C:\Users\Admin\AppData\Local\Temp\47dd4bd199f1685362ab94208fdf1c46.exe"
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\exrev.exe
  "C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\exrev.exe"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\1EuroP.exe"
  2⤵
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\6tbp.exe"
  2⤵
  PID:428
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mseyRe.dll",Startup
    3⤵
    PID:1384
- C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\IR.exe"
  2⤵
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\3E4U - Bucks.exe"
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\2IC.exe"
  2⤵
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3880 -ip 3880
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 508
1⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
1⤵
PID:3064
- C:\Windows\SysWOW64\runonce.exe
  "C:\Windows\system32\runonce.exe" -r
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\grpconv.exe
    "C:\Windows\System32\grpconv.exe" -o
    3⤵
    PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\mesmfpwk.bat
1⤵
PID:2204

C:\Users\Admin\AppData\Roaming\jpposh.exe
C:\Users\Admin\AppData\Roaming\jpposh.exe -d3C2FDC3602C532EDAB5A587F77335653F267A9D9573580495A360076DC0A8FE790EC6D70ABD726780470AC035967153D905342AA2D8614485A63C9B52857B7C5FBB28926424A9E72E1A0480FF70CECE6F1C6622E02B3FBFB71C31C74699D4EC826713527B9A7C878B97FBEE993501B4E5FE22C1F673C82B5B99BACE280FEB307F9EFB61F41030FC84776E5B6AE6A1D8C638E06062DD736088B106E318E5082659FFA91EC4A2C220C83D4D18B0895AF31C5AE94276644E451808D9916F5B1977F80FF8C9E85C9EE1EA6D6D842A435CF8C8E30BCF9612F98E47093A131559311C644F8ABA7E5579E2F2A2B8E1FC10BBAF9083DA38AB0C3A01475C53AB2906B4B20D63832989810A115C621C8F4E1A8EB2DBC1CAD94250A8912E7D05B13C66BE4DE5D11A85F1259A39E754B9CE3C5DB22CE71A7803ACF4D2011615237405821B7C5430DD1AB02E6922D6F7E5E136EAF5ABD333800400184718DBA13442EE80CE39B3257B3AE59479A312DFFA3FF1CCAD1B648E7533B4B18CAF90BF0382C56D6C47F113E9159493927D3691A41D252BE038F3B35DEE57D4EB8C2AF1C0676C3D9F6E30A6DF25B43E1E9A01A994D27CF14AD67D57746A5AAE708E33D18E49990A7588E862A9998F78FCAE27B141B9F95ECCD4E1EFB6F10
1⤵
PID:1592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
1⤵
PID:4416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
1⤵
PID:2012

C:\Users\Admin\AppData\Roaming\jpposh.exe
C:\Users\Admin\AppData\Roaming\jpposh.exe
1⤵
PID:2864

C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
1⤵
- Launches sc.exe
PID:4920

C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
1⤵
PID:4360

C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
1⤵
- Launches sc.exe
PID:1644

C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
1⤵
PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\1EuroP.exe

Filesize
91KB

MD5
7c0bd454f91d3626e9c056f743c7992d

SHA1
942f936d5ab0f3175b5ea605765b272211c68bb6

SHA256
cf990f0d542c54ecad711e5a4ccfe233f16791e2699db7e753e26346cecdb42c

SHA512
07db4fd20e81a4cbe40d0b2e0debbe496aab61f10e38193f352ccbab8dfe98aad0c9d656192c1c55ba1295cd89ff5ed8fea27e646f6e6fbae98f02e9dec09eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\2IC.exe

Filesize
188KB

MD5
ba547c42a869b0d4c163cd713d4799f0

SHA1
1655e5dd5d468d70711babba56c3a675b63039df

SHA256
71184940ffed491a7ff3ab76672310e4fb9cd985988eb4e4ef8cf17d1cf6c781

SHA512
20a4c249b3bcd845014102a958c8a8423d0072ec61edd68d21b12c2981b3f4b6c0afe69b238e1705c1352305745afb012968e8e6d121e02d1bc2e6e486a40b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\3E4U - Bucks.exe

Filesize
27KB

MD5
5f6c6b5e491ac60e088adba6dd5791c2

SHA1
292f4b81b3eee53877c672faf540aceeb2fc881f

SHA256
b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018

SHA512
59c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\6tbp.exe

Filesize
92KB

MD5
4765b5cd4ea278947f514e0c6bca9ea3

SHA1
1d0526904748ea5c7106b2eb0d0619d3c70cbae0

SHA256
6208a24a8cca27d36cc7de195c1f13e4d316e94b0a10c30660fc58bc6948c250

SHA512
ba67c082a59f1882c41e4e1ec1a41e48319ea9163037b258933f6cf31e583d90e3be54a9f0dbd66ec7e444a9f939c698657103cd985c4beb4c55602b0d065a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa46B0.tmp\exrev.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
memory/428-103-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/428-75-0x00000000020C0000-0x00000000020D0000-memory.dmp

Filesize
64KB

Download
memory/428-64-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1384-79-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1384-104-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1384-76-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1384-73-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3684-95-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3684-94-0x00000000005E0000-0x0000000000628000-memory.dmp

Filesize
288KB

Download
memory/3684-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3684-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3880-69-0x0000000002DE0000-0x00000000040E0000-memory.dmp

Filesize
19.0MB

Download
memory/3880-70-0x0000000000B50000-0x0000000000B80000-memory.dmp

Filesize
192KB

Download
memory/4200-101-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4200-57-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/4200-107-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4200-106-0x00000000005B0000-0x00000000005CB000-memory.dmp

Filesize
108KB

Download
memory/4200-105-0x00000000005B0000-0x00000000005CB000-memory.dmp

Filesize
108KB

Download
memory/4200-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4200-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4200-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing