5ec15f2638b163bca26a4b8422386204c4aa6c2dee1d3072c7ed03cc8cb552c6

General

Target

58ff386fb4d341021bbaeed5b7d0aa06.exe
Size

472KB
MD5

58ff386fb4d341021bbaeed5b7d0aa06
SHA1

60683e10b801057ef27f86d8159d1b4be6dc783f
SHA256

5ec15f2638b163bca26a4b8422386204c4aa6c2dee1d3072c7ed03cc8cb552c6
SHA512

901a4bbac740691ba37c00837a82fca578b5d16d8da7eae9d78034da3e366827d5bf6ccf4982a230039527c57e188551a7481dfd87d7f7e0b6b85fb51131a73b
SSDEEP

12288:wElKbdncCI/z8+UaTKg6m4uh1qzTsHIAMntrUVix:wEqFcCa/DOgnnq3U9V

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	58ff386fb4d341021bbaeed5b7d0aa06.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	58ff386fb4d341021bbaeed5b7d0aa06.exe

Loads dropped DLL 1 IoCs

pid	Process
1544	58ff386fb4d341021bbaeed5b7d0aa06.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1544-0-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral1/files/0x0008000000012222-11.dat	upx
behavioral1/memory/2536-18-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral1/files/0x0008000000012222-17.dat	upx
behavioral1/files/0x0008000000012222-13.dat	upx

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2724	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1544	58ff386fb4d341021bbaeed5b7d0aa06.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1544	58ff386fb4d341021bbaeed5b7d0aa06.exe
2536	58ff386fb4d341021bbaeed5b7d0aa06.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2536	1544	58ff386fb4d341021bbaeed5b7d0aa06.exe	23
PID 1544 wrote to memory of 2536	1544	58ff386fb4d341021bbaeed5b7d0aa06.exe	23
PID 1544 wrote to memory of 2536	1544	58ff386fb4d341021bbaeed5b7d0aa06.exe	23
PID 1544 wrote to memory of 2536	1544	58ff386fb4d341021bbaeed5b7d0aa06.exe	23
PID 2536 wrote to memory of 2724	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	24
PID 2536 wrote to memory of 2724	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	24
PID 2536 wrote to memory of 2724	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	24
PID 2536 wrote to memory of 2724	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	24
PID 2536 wrote to memory of 1904	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	31
PID 2536 wrote to memory of 1904	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	31
PID 2536 wrote to memory of 1904	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	31
PID 2536 wrote to memory of 1904	2536	58ff386fb4d341021bbaeed5b7d0aa06.exe	31
PID 1904 wrote to memory of 2732	1904	cmd.exe	33
PID 1904 wrote to memory of 2732	1904	cmd.exe	33
PID 1904 wrote to memory of 2732	1904	cmd.exe	33
PID 1904 wrote to memory of 2732	1904	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe
"C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe
  C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe" /TN uhTCmbCqd877 /F
    3⤵
    - Creates scheduled task(s)
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\7jt69.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN uhTCmbCqd877
      4⤵
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe

Filesize
201KB

MD5
b03a3380bf3346ee4da25bdaa9cd9c6a

SHA1
feab6cc8dc65ab6b4087cf76ca2185ae28d67cb4

SHA256
008b7f017502262f5886fcf903ad220196cb90394fe63276485d2c413a8a476b

SHA512
9ddd85be1566427fa136d998d9cc39a804bcfddcf21ed365fff7899b1f5ebb25d6e645a28d5fc68ae73681bfd474b81f8adc44de0d0d43373118398262918b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe

Filesize
150KB

MD5
801c866637320e34da2563a8df74dfd2

SHA1
4dfc15e677cdf3c376aa41de732347ea123e3127

SHA256
0f3ed73b46fecff502c85f47be91dc822c45ae711889d3f16f671b72961a6b19

SHA512
9988a2f1142b326245e67b97e5fee6b768cd22037146a41dad5bb8954d99b87443d9a321a02a7e5eece1fddc8203c87da4450eb92cbc3042e7b718863109ef5f

Download Submit
\Users\Admin\AppData\Local\Temp\58ff386fb4d341021bbaeed5b7d0aa06.exe

Filesize
196KB

MD5
a3ccc8a63821e97d5d43b9332946e165

SHA1
7c9397ce769d507922cd4d80b6c765d4b97ea2ff

SHA256
1af31618171b41373d6a45eab23abd225d0e12213aab8328f4fec680c3d28e43

SHA512
b69f948d859aa1bf25a4d199c922d8181e9e2d1469135ad66d37508318dd621844c3923ec31e262b2a22b890a21a845209dcf365cf80357c536d7aecc66a570f

Download Submit
memory/1544-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1544-0-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1544-15-0x0000000002F70000-0x000000000314A000-memory.dmp

Filesize
1.9MB

Download
memory/1544-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1544-1-0x0000000000180000-0x00000000001F6000-memory.dmp

Filesize
472KB

Download
memory/2536-18-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2536-19-0x0000000000180000-0x00000000001F6000-memory.dmp

Filesize
472KB

Download
memory/2536-29-0x00000000002A0000-0x0000000000306000-memory.dmp

Filesize
408KB

Download
memory/2536-26-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2536-36-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads