19679cbc4b7cd73fd4501ed735c351aaf8335f2adbf8a1d25965e87b683cd5bd

General

Target

4df392aaa1d685e96cdc2cfbd98b75eb.exe
Size

3.9MB
MD5

4df392aaa1d685e96cdc2cfbd98b75eb
SHA1

4f5f91388dc11eac90e8d288b82ee51b007c41f6
SHA256

19679cbc4b7cd73fd4501ed735c351aaf8335f2adbf8a1d25965e87b683cd5bd
SHA512

b2f10bfc9597f4c4885496a1c8d9b6e0e826ee4c3461830601b45a7b595c9722edfd2436d101d10bb202bc2fd4e720422a903c8d631223b79d08c7c2dd6f16dd
SSDEEP

98304:2QXkDgpaCcakcibiqhGccFd3ucakcibiqh0V314pLG9cakcibiqhGccFd3ucakcO:2RgpxdlirRM5udlirqVl4g9dlirRM5u+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Executes dropped EXE 1 IoCs

pid	Process
1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Loads dropped DLL 1 IoCs

pid	Process
2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000001224c-11.dat	upx
behavioral1/memory/1972-17-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d00000001224c-15.dat	upx
behavioral1/memory/2500-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe
1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1972	2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe	20
PID 2500 wrote to memory of 1972	2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe	20
PID 2500 wrote to memory of 1972	2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe	20
PID 2500 wrote to memory of 1972	2500	4df392aaa1d685e96cdc2cfbd98b75eb.exe	20
PID 1972 wrote to memory of 2800	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	15
PID 1972 wrote to memory of 2800	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	15
PID 1972 wrote to memory of 2800	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	15
PID 1972 wrote to memory of 2800	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	15
PID 1972 wrote to memory of 2844	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	19
PID 1972 wrote to memory of 2844	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	19
PID 1972 wrote to memory of 2844	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	19
PID 1972 wrote to memory of 2844	1972	4df392aaa1d685e96cdc2cfbd98b75eb.exe	19
PID 2844 wrote to memory of 2944	2844	cmd.exe	17
PID 2844 wrote to memory of 2944	2844	cmd.exe	17
PID 2844 wrote to memory of 2944	2844	cmd.exe	17
PID 2844 wrote to memory of 2944	2844	cmd.exe	17

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe" /TN QxutJGth3fd4 /F
1⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\RJxd1R9.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe
C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe
"C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe

Filesize
211KB

MD5
fe08a98582cb98e8d8c6aa767af8b19d

SHA1
8f3a5925c906d7e7dfe7e0668e468a8874f4c8a9

SHA256
41248c575d816f5b6ab3ea75418c89b1fa2fdb72b2bdd1f32e5f9bc056a4db81

SHA512
c0fc66aa58c260b46e6c07d9e6bc68a63bb6a70096707d94dde4a77419f3773e841ee4b67ed7faf4234e2e46cb6cf7c7377511702d8bc519259033f83e704cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJxd1R9.xml

Filesize
1KB

MD5
bcc453382fb1d403e4040bec2c188f4e

SHA1
215590b6f1493f09e5c02645a1e1ebb93c1688f6

SHA256
97432b5dc15231454385d1d6f536e731ce4adea940022360564a9a71bbd9f4fa

SHA512
8bb1f9fbd207ce0af897a3a10e1f75003fe7017274c8b351cef5b80815cf9bc8b37cb2fc4b98b4fe8a7c7e7cc93f85b5959eb3b77f016d8dc0bc087f9bff540b

Download Submit
\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe

Filesize
79KB

MD5
99c8e645a2140edc3c48ac2a8c5284a9

SHA1
64b4351e1d4eceee6a9e3cb40ec57ee9e5cdd359

SHA256
7f82a301f9cfe5af70ebd95797263c7edcc0eddb0c931bfc1ac74b5e3bd17e2c

SHA512
2f1a08953daa32c82abc615e16aeefb3b785429ddf6c9a710d592f114cf6c53e0182782a5fdf8c92d9e3c67e9f274ec87f6985ff8f7c15cdec2cda9238961728

Download Submit
memory/1972-20-0x0000000022DD0000-0x0000000022E4E000-memory.dmp

Filesize
504KB

Download
memory/1972-28-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/1972-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1972-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1972-53-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2500-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-3-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2500-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads