0426b6382cb164e83c8198d8a5978099e177a55112180b321c7ebd6d3f102931

General

Target

ae1f3bbd3e116661c35c4aaf7430472b.exe
Size

3.0MB
MD5

ae1f3bbd3e116661c35c4aaf7430472b
SHA1

b877f774a5a38c4c754b94dc98308dc900e07935
SHA256

0426b6382cb164e83c8198d8a5978099e177a55112180b321c7ebd6d3f102931
SHA512

72677c7ba8b607b35ed9c9ff44436ac82bf565e92c83d2f75aec0cf5ab9ec8ce535609bb212bbeae49dbd405067e99e67b2e04aa6d62ebff59473e372e957dc3
SSDEEP

49152:O3Suo2HNZz14C6DcakLVy5dv5sgpkB5+PcakLTSsiYMD4wPnQJcakLVy5dv5sgp4:O3k2HNt1scakhy595sgp9cak/SsiTD4M

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2100	ae1f3bbd3e116661c35c4aaf7430472b.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	ae1f3bbd3e116661c35c4aaf7430472b.exe

Loads dropped DLL 1 IoCs

pid	Process
1740	ae1f3bbd3e116661c35c4aaf7430472b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0008000000012254-11.dat	upx
behavioral1/memory/2100-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2624	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1740	ae1f3bbd3e116661c35c4aaf7430472b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1740	ae1f3bbd3e116661c35c4aaf7430472b.exe
2100	ae1f3bbd3e116661c35c4aaf7430472b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2100	1740	ae1f3bbd3e116661c35c4aaf7430472b.exe	29
PID 1740 wrote to memory of 2100	1740	ae1f3bbd3e116661c35c4aaf7430472b.exe	29
PID 1740 wrote to memory of 2100	1740	ae1f3bbd3e116661c35c4aaf7430472b.exe	29
PID 1740 wrote to memory of 2100	1740	ae1f3bbd3e116661c35c4aaf7430472b.exe	29
PID 2100 wrote to memory of 2624	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	30
PID 2100 wrote to memory of 2624	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	30
PID 2100 wrote to memory of 2624	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	30
PID 2100 wrote to memory of 2624	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	30
PID 2100 wrote to memory of 2840	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	32
PID 2100 wrote to memory of 2840	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	32
PID 2100 wrote to memory of 2840	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	32
PID 2100 wrote to memory of 2840	2100	ae1f3bbd3e116661c35c4aaf7430472b.exe	32
PID 2840 wrote to memory of 2568	2840	cmd.exe	34
PID 2840 wrote to memory of 2568	2840	cmd.exe	34
PID 2840 wrote to memory of 2568	2840	cmd.exe	34
PID 2840 wrote to memory of 2568	2840	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe
"C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe
  C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe" /TN ymuVbjyg4de6 /F
    3⤵
    - Creates scheduled task(s)
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN ymuVbjyg4de6 > C:\Users\Admin\AppData\Local\Temp\pOycVPjrV.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN ymuVbjyg4de6
      4⤵
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pOycVPjrV.xml

Filesize
1KB

MD5
fbec6363e7fde51399f7afc24fb79a35

SHA1
92515bca3a34ae74068c2de45219f79225873d8f

SHA256
53c260046cb45392ed90875d14b925d6449b3a32ff6f957639122b4e859ebe82

SHA512
0e071f6808f0802546a644407984f23d33bd9c8e91529857f25e334f4928172e9310a9eb5f133459e1a672720648834f4e357389d7b7ca670656b6b3f18b641f

Download Submit
\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe

Filesize
3.0MB

MD5
48033ef10a8532d7b3dde2d8c41b9cc9

SHA1
894737e723f6ffa5e7e0f7c7cc96007400ca6e91

SHA256
af4f3d47e11865bb19c329582f82714799117803013385e665c13a4e0744a6c6

SHA512
a9dcde3066bbeb39a14a6551a3a637e719029e9584cf9b915f9d2ea8b87e07807a42dcc109d0ff2a59a58c52b3f4f087891d6e69ebae4a325f44ee168ade1c65

Download Submit
memory/1740-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1740-2-0x0000000000350000-0x00000000003CE000-memory.dmp

Filesize
504KB

Download
memory/1740-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1740-16-0x0000000023530000-0x000000002378C000-memory.dmp

Filesize
2.4MB

Download
memory/1740-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1740-36-0x0000000023530000-0x000000002378C000-memory.dmp

Filesize
2.4MB

Download
memory/2100-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2100-28-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2100-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2100-20-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2100-37-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads