6b8438b681999bab58a9ae040254bf0e3909d04568f070e46bbb21796dbe908d

General

Target

5271418db637de150018c0c4f5b40ae6.exe
Size

473KB
MD5

5271418db637de150018c0c4f5b40ae6
SHA1

9f1cd9b5e8cad2d00d9b35abb33d4299ee3be989
SHA256

6b8438b681999bab58a9ae040254bf0e3909d04568f070e46bbb21796dbe908d
SHA512

5db108a811ab3c3b10c473bf00d94648058cc38571e57590a5aa6e370c62477d819ade7f2c6f268924d3e43062769377d81b8fa8f58e26335e8f4ffcead19a4b
SSDEEP

12288:qrzg6zr/IyX+mKT0LE89FRzAZ92QxT2puMODryI4foO:qPgyhKT0LE8XREpxT2puPHyIO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	5271418db637de150018c0c4f5b40ae6.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	5271418db637de150018c0c4f5b40ae6.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	5271418db637de150018c0c4f5b40ae6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral1/files/0x000c000000012243-11.dat	upx
behavioral1/memory/2644-15-0x0000000002D30000-0x0000000002F0C000-memory.dmp	upx
behavioral1/memory/2344-18-0x0000000000400000-0x00000000005DC000-memory.dmp	upx

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2644	5271418db637de150018c0c4f5b40ae6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2644	5271418db637de150018c0c4f5b40ae6.exe
2344	5271418db637de150018c0c4f5b40ae6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2344	2644	5271418db637de150018c0c4f5b40ae6.exe	29
PID 2644 wrote to memory of 2344	2644	5271418db637de150018c0c4f5b40ae6.exe	29
PID 2644 wrote to memory of 2344	2644	5271418db637de150018c0c4f5b40ae6.exe	29
PID 2644 wrote to memory of 2344	2644	5271418db637de150018c0c4f5b40ae6.exe	29
PID 2344 wrote to memory of 2784	2344	5271418db637de150018c0c4f5b40ae6.exe	30
PID 2344 wrote to memory of 2784	2344	5271418db637de150018c0c4f5b40ae6.exe	30
PID 2344 wrote to memory of 2784	2344	5271418db637de150018c0c4f5b40ae6.exe	30
PID 2344 wrote to memory of 2784	2344	5271418db637de150018c0c4f5b40ae6.exe	30
PID 2344 wrote to memory of 2716	2344	5271418db637de150018c0c4f5b40ae6.exe	32
PID 2344 wrote to memory of 2716	2344	5271418db637de150018c0c4f5b40ae6.exe	32
PID 2344 wrote to memory of 2716	2344	5271418db637de150018c0c4f5b40ae6.exe	32
PID 2344 wrote to memory of 2716	2344	5271418db637de150018c0c4f5b40ae6.exe	32
PID 2716 wrote to memory of 2832	2716	cmd.exe	34
PID 2716 wrote to memory of 2832	2716	cmd.exe	34
PID 2716 wrote to memory of 2832	2716	cmd.exe	34
PID 2716 wrote to memory of 2832	2716	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe
"C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe
  C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe" /TN BSpsfata099d /F
    3⤵
    - Creates scheduled task(s)
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN BSpsfata099d > C:\Users\Admin\AppData\Local\Temp\fqofoL.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN BSpsfata099d
      4⤵
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fqofoL.xml

Filesize
1KB

MD5
f37b34f0c8233e09168919c5c2935a77

SHA1
042bd2bfe4dcd567d0b7b6dd814b12f5fe09a7ef

SHA256
b585feb692aacfa3d3afb2c93b878f9b65ed0d499e2e3aa378a59224193f40f3

SHA512
4835d701ccc12e42a1a958809ee0843481c5b549be86e3f7d7e4cb1351ed92cacbc5a2f189c60e46003e2a4433588fd3a0e29ef6e058cf89a7144b2079e7f929

Download Submit
\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe

Filesize
473KB

MD5
318d410602456142ebd1d012be17f29c

SHA1
a2ba2492e9cad7645a612e5fed1e0d60abcf804d

SHA256
8401094efd457b54c304047b2a6e0ae502912ccff97bbfb5977006c923d4510d

SHA512
d1879fbd6ad2e87baf3d4686900f001e5f912317788c616a233f95a75c11b4759ab13c4326173d390d554f999193e18747e0b159a47b82184183ff078c128dcb

Download Submit
memory/2344-18-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2344-19-0x0000000000180000-0x00000000001F7000-memory.dmp

Filesize
476KB

Download
memory/2344-26-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2344-28-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/2344-36-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2644-0-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2644-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-2-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/2644-15-0x0000000002D30000-0x0000000002F0C000-memory.dmp

Filesize
1.9MB

Download
memory/2644-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads