2bd2a01cf1a0c3ce7f70e8384c7381d15e7556c2648fac8a60f81cdf4ef606cd

General

Target

VirusShare_ddd26d7331c9f5c13808c3bd60be58b0.dll
Size

156KB
MD5

ddd26d7331c9f5c13808c3bd60be58b0
SHA1

1b63a6aa739bf9253f4396768916cf9b1e0c5231
SHA256

2bd2a01cf1a0c3ce7f70e8384c7381d15e7556c2648fac8a60f81cdf4ef606cd
SHA512

2b7a5869786ce1367eff766ac28cb2da3318af7b01bb78037910740a0e6dfee8f8d052c58dfe55d13c40d62550107df6675ae83b072f898464ca0ed2efdc44ac
SSDEEP

1536:fEaBb0Tb2bV59Onx2pCrfl5lwFdkqMeyA4yD5u6saYum9qDgj8LNQ2Gn1a:fEax0OxXmx2SqOqMPA1gxaM9Vj8VGn1

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral2/memory/2940-0-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/2940-2-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/2940-4-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/2940-5-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-11-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-12-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-21-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/2940-20-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-32-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-47-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-64-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-174-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-185-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-200-0x000000000B000000-0x000000000B031000-memory.dmp	UPX
behavioral2/memory/4268-217-0x000000000B000000-0x000000000B031000-memory.dmp	UPX

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	4268	rundll32.exe
22	4268	rundll32.exe
43	4268	rundll32.exe
48	4268	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4268	rundll32.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2940-0-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/2940-2-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/2940-4-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/2940-5-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-11-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-12-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-21-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/2940-20-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-32-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-47-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-64-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-174-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-185-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-200-0x000000000B000000-0x000000000B031000-memory.dmp	upx
behavioral2/memory/4268-217-0x000000000B000000-0x000000000B031000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PROGRA~3\wlrlejw1.fee	rundll32.exe
File opened for modification	C:\PROGRA~3\wlrlejw1.fee	rundll32.exe
File created	C:\PROGRA~3\1wjelrlw.cpp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2940	3832	rundll32.exe	83
PID 3832 wrote to memory of 2940	3832	rundll32.exe	83
PID 3832 wrote to memory of 2940	3832	rundll32.exe	83
PID 2940 wrote to memory of 4268	2940	rundll32.exe	84
PID 2940 wrote to memory of 4268	2940	rundll32.exe	84
PID 2940 wrote to memory of 4268	2940	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_ddd26d7331c9f5c13808c3bd60be58b0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_ddd26d7331c9f5c13808c3bd60be58b0.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\1wjelrlw.cpp,XXS1
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\1wjelrlw.cpp

Filesize
128KB

MD5
dea5d7d9eb654b5f688b1386f50e39c2

SHA1
7162e8ab5f9096e88e84a35f2b7b2e58ec99938e

SHA256
cd069db3d8b23bec4f05ab0ad8f4c84cec90801b88d942e66a3bad0f7de29414

SHA512
a8c4992ee3f239805fb0431afa588f33cbff0fc93338dfec174e5d5927fa0abf6a88be5b71c07f92bd7df8e6bb1c8eb6946a167d2d921d5a35511f18fa534f09

Download Submit
C:\PROGRA~3\wlrlejw1.fee

Filesize
90.6MB

MD5
61e7bb9245386d110e8a6fe72d473e69

SHA1
635db1db02a225dc74d1c4f79e7056bb50754e12

SHA256
87c246547f4d4294ce46004419c7968209a426abeb16cdb78c17f97c810a28d1

SHA512
912c5ccc32aa1e0ecc6740f9cad3ce45cbaaa83c24eefc1d63a7983e8b7c8363c5c442e6c0769348942ad71294a432e55422738b7cdfad7b644d46be9f948120

Download Submit
C:\ProgramData\1wjelrlw.cpp

Filesize
156KB

MD5
ddd26d7331c9f5c13808c3bd60be58b0

SHA1
1b63a6aa739bf9253f4396768916cf9b1e0c5231

SHA256
2bd2a01cf1a0c3ce7f70e8384c7381d15e7556c2648fac8a60f81cdf4ef606cd

SHA512
2b7a5869786ce1367eff766ac28cb2da3318af7b01bb78037910740a0e6dfee8f8d052c58dfe55d13c40d62550107df6675ae83b072f898464ca0ed2efdc44ac

Download Submit
memory/2940-2-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/2940-3-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/2940-4-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/2940-5-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/2940-20-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/2940-0-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-12-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-21-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-11-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-32-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-47-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-64-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-174-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-185-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-200-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download
memory/4268-217-0x000000000B000000-0x000000000B031000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing