08eff265be3a519280546a622958cacc190473d831f4812165fd6b87be72d691

General

Target

514a8870929a50a805e883f9e08acda2.exe
Size

1.6MB
MD5

514a8870929a50a805e883f9e08acda2
SHA1

ed4c44ed05895c064fa0552679a016bb7fa74235
SHA256

08eff265be3a519280546a622958cacc190473d831f4812165fd6b87be72d691
SHA512

1c8161df41d3cfce1e4852717c0599b12ef9266208f07ccdf48182c11a6e3f1a6185da64a087fd44a1952cc394bb0ab38122d6ea774d4ab8aa2761fa49811f85
SSDEEP

49152:AdZKDqFNDpl3r8SvZEGYcakLz06Jrwko6ISSpSefcakLz0O:AdZKDqFNDpl3r8SvZEGYcakc+sBvxcaw

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1948	514a8870929a50a805e883f9e08acda2.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	514a8870929a50a805e883f9e08acda2.exe

Loads dropped DLL 1 IoCs

pid	Process
2616	514a8870929a50a805e883f9e08acda2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2616-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b000000012251-15.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2664	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2616	514a8870929a50a805e883f9e08acda2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2616	514a8870929a50a805e883f9e08acda2.exe
1948	514a8870929a50a805e883f9e08acda2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1948	2616	514a8870929a50a805e883f9e08acda2.exe	34
PID 2616 wrote to memory of 1948	2616	514a8870929a50a805e883f9e08acda2.exe	34
PID 2616 wrote to memory of 1948	2616	514a8870929a50a805e883f9e08acda2.exe	34
PID 2616 wrote to memory of 1948	2616	514a8870929a50a805e883f9e08acda2.exe	34
PID 1948 wrote to memory of 2664	1948	514a8870929a50a805e883f9e08acda2.exe	30
PID 1948 wrote to memory of 2664	1948	514a8870929a50a805e883f9e08acda2.exe	30
PID 1948 wrote to memory of 2664	1948	514a8870929a50a805e883f9e08acda2.exe	30
PID 1948 wrote to memory of 2664	1948	514a8870929a50a805e883f9e08acda2.exe	30
PID 1948 wrote to memory of 2780	1948	514a8870929a50a805e883f9e08acda2.exe	33
PID 1948 wrote to memory of 2780	1948	514a8870929a50a805e883f9e08acda2.exe	33
PID 1948 wrote to memory of 2780	1948	514a8870929a50a805e883f9e08acda2.exe	33
PID 1948 wrote to memory of 2780	1948	514a8870929a50a805e883f9e08acda2.exe	33
PID 2780 wrote to memory of 2844	2780	cmd.exe	32
PID 2780 wrote to memory of 2844	2780	cmd.exe	32
PID 2780 wrote to memory of 2844	2780	cmd.exe	32
PID 2780 wrote to memory of 2844	2780	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\514a8870929a50a805e883f9e08acda2.exe
"C:\Users\Admin\AppData\Local\Temp\514a8870929a50a805e883f9e08acda2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\514a8870929a50a805e883f9e08acda2.exe
  C:\Users\Admin\AppData\Local\Temp\514a8870929a50a805e883f9e08acda2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\514a8870929a50a805e883f9e08acda2.exe" /TN U5Z8sQiHf24d /F
1⤵
- Creates scheduled task(s)
PID:2664

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\gh3FS9.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\514a8870929a50a805e883f9e08acda2.exe

Filesize
92KB

MD5
2822644832189377982e79afcb274427

SHA1
6c653cc772986ea42d3d406313df57fcadbaae38

SHA256
8081a0792f4a87576fb56b0bcff4c0a6338376ae0a368bd97669f749071e2742

SHA512
fd37b89a4e88f07ba3f3a1eda62ec42437974f3cc707fdb546d79aec1cf3d3c07dc917389722c20fa3cb3a0c09ffeb3f6144a43cf024cc5b27dc7be4dcd2398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FD5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
memory/1948-19-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/1948-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1948-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1948-51-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2616-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2616-7-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/2616-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2616-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads