6f90fc470bd95393f53358db951ab38b0cf96b0f7317e8fd1264875a22b4f1eb

General

Target

542e13da76b48d2c7d12265f8d5abc10.exe
Size

16.6MB
MD5

542e13da76b48d2c7d12265f8d5abc10
SHA1

212c936a06ba9be1db12dd2c26f5ffeeda9380d0
SHA256

6f90fc470bd95393f53358db951ab38b0cf96b0f7317e8fd1264875a22b4f1eb
SHA512

4bb857feb772019afe5000dc3363fa6c9e3676e1ae52ce337d2e746875d291dec23f475d9efbd79ede77a00729bb1e2f62b27952337698ff4e4eca170cf09809
SSDEEP

49152:ccek/LTBUek/LTBUek/LTBUek/LTBUek/LTBUek/LTBUek/LTBUek/LTBUek/LTm:e

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
464	ouycgko.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4044-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0007000000023222-18.dat	upx
behavioral2/memory/4044-36-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0007000000023222-38.dat	upx
behavioral2/memory/464-40-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0007000000023222-39.dat	upx
behavioral2/memory/4504-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/464-57-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-58-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-63-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-65-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4044-70-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\ouycgko.exe	542e13da76b48d2c7d12265f8d5abc10.exe
File opened for modification	C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\ouycgko.exe	542e13da76b48d2c7d12265f8d5abc10.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\itepsva\itepsva.exe	542e13da76b48d2c7d12265f8d5abc10.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	542e13da76b48d2c7d12265f8d5abc10.exe
File created	C:\Windows\SysWOW64\Help\1.aitepsv	542e13da76b48d2c7d12265f8d5abc10.exe
File created	C:\Windows\SysWOW64\Help\2.aitepsv	542e13da76b48d2c7d12265f8d5abc10.exe
File created	C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\m.ini	542e13da76b48d2c7d12265f8d5abc10.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 464 set thread context of 4504	464	ouycgko.exe	98

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\aitepsv.hlp	542e13da76b48d2c7d12265f8d5abc10.exe
File created	C:\Windows\2.ini	542e13da76b48d2c7d12265f8d5abc10.exe
File opened for modification	C:\Windows\	542e13da76b48d2c7d12265f8d5abc10.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3664	4504	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe
4044	542e13da76b48d2c7d12265f8d5abc10.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	542e13da76b48d2c7d12265f8d5abc10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 464	4044	542e13da76b48d2c7d12265f8d5abc10.exe	95
PID 4044 wrote to memory of 464	4044	542e13da76b48d2c7d12265f8d5abc10.exe	95
PID 4044 wrote to memory of 464	4044	542e13da76b48d2c7d12265f8d5abc10.exe	95
PID 464 wrote to memory of 4504	464	ouycgko.exe	98
PID 464 wrote to memory of 4504	464	ouycgko.exe	98
PID 464 wrote to memory of 4504	464	ouycgko.exe	98
PID 464 wrote to memory of 4504	464	ouycgko.exe	98
PID 464 wrote to memory of 4504	464	ouycgko.exe	98

C:\Users\Admin\AppData\Local\Temp\542e13da76b48d2c7d12265f8d5abc10.exe
"C:\Users\Admin\AppData\Local\Temp\542e13da76b48d2c7d12265f8d5abc10.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\ouycgko.exe
  C:\Windows\system32\aitepsv\aitepsv\iptxdgk\ouycgko.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 12
      4⤵
      Program crash
      PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4504 -ip 4504
1⤵
PID:3504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
72aef6c0ebf80e58aaf6a0205a141f5c

SHA1
b6f48140ac0b69b74b0a4cfbdc1f61aafec0551e

SHA256
460ece2d9c11460c3c3632a817ec26faac0697de29182cb13ed6de7a8dfcdbce

SHA512
a6216e89e462ee098bac6db0307c066e245d6cd1d385408c7116d8fa668023f4f2b3fe5d4e4f2c1e0fc7a73cf24c70683b6492b0364af93def04c23cf101c19d

Download Submit
C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\ouycgko.exe

Filesize
722KB

MD5
4cae81f0b0924cf77741963b0c6db547

SHA1
38ed3a547acd470a8d1663e8d10c46fcf542bf6e

SHA256
cd13d1aff50835c89da4e4058a65b9d3fb3b5896841edf53ea8eda81fa116785

SHA512
23fc86bcf59b30f99de5024f1fad2e1f931e0aa684254b927e8f342b6ce73da0e8f5180b8e60259d1cf39f2c60f58f27142eac763829da968e584e17c074e6a9

Download Submit
C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\ouycgko.exe

Filesize
894KB

MD5
e2eec74edf3e55a94b868c20a4a539b3

SHA1
62abdfcd24a11cdf38863d4e004048d3c7ea3bfe

SHA256
27da8ff792ad51c66c74e30122bce5a5ae39a99a34b3f4efe43fe493d02ca36e

SHA512
b99a86efaefc49d868c23d5ad2affc0b386c5ff77e4630b1d741b42953c8dd7ec627992705d380f292c7639974713884fc15d3fa27460e2df8af958b5661ae0b

Download Submit
C:\Windows\SysWOW64\aitepsv\aitepsv\iptxdgk\ouycgko.exe

Filesize
381KB

MD5
8de90e31b590a5be56daa5806cd4494e

SHA1
8a22730861d2ed72b049be3b46d9d00375fb947a

SHA256
3b96e813a5758a1ecf136f7ca9d10376801bdc24fbe24bf93c068a4335675db2

SHA512
bd090a84911d3583c8e36e3f120edc025c595774980cd0acbc4e81795c41f2a6f3d3ad2d583b657c49062813a17c92cf634df1ac8e9265815eb8bd535ca7527a

Download Submit
memory/464-57-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/464-40-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-58-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-36-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-70-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-63-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4044-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4504-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing