079589aa1f1fedadb65aa037a5c59fb7accef0471a61c3bed04355aa3d45548b

General

Target

b6effd527b53cdea520eb568180e71c0.exe
Size

46KB
MD5

b6effd527b53cdea520eb568180e71c0
SHA1

354b50d9833a3344c4e9b2ee15ef4ea2af37b7b1
SHA256

079589aa1f1fedadb65aa037a5c59fb7accef0471a61c3bed04355aa3d45548b
SHA512

c032792120375c550d84d8f633a46d3cd1402009e8f51b325d71bfb48fa3c81eedb19073e0860f3265f5b9d61e9d2b697b132b1aa1ab84aac0463f9a73e3cbf9
SSDEEP

768:mQxsLTveMukvbY96eIzfEmMEzxm1g/WQxqwdS5PMA97iBthFxLxKiDjq:SuMj065xJeQxqWS5PMSwDV5jq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1852	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2352	rundll32.exe
1852	rundll32.exe
2352	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/756-0-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/756-7-0x0000000000400000-0x000000000061E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd008.ocx	b6effd527b53cdea520eb568180e71c0.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\whh34001.ocx	b6effd527b53cdea520eb568180e71c0.exe
File opened for modification	C:\Program Files\Common Files\whh34001.ocx	b6effd527b53cdea520eb568180e71c0.exe
File created	C:\Program Files\Common Files\0F761EC7ce.dll	b6effd527b53cdea520eb568180e71c0.exe
File opened for modification	C:\Program Files\Common Files\0F761EC7ce.dll	b6effd527b53cdea520eb568180e71c0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1852	rundll32.exe
1852	rundll32.exe
1852	rundll32.exe
1852	rundll32.exe
1852	rundll32.exe
1852	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1768	rundll32.exe
480	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1768	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 2352	756	b6effd527b53cdea520eb568180e71c0.exe	28
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1768	756	b6effd527b53cdea520eb568180e71c0.exe	29
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30
PID 756 wrote to memory of 1852	756	b6effd527b53cdea520eb568180e71c0.exe	30

C:\Users\Admin\AppData\Local\Temp\b6effd527b53cdea520eb568180e71c0.exe
"C:\Users\Admin\AppData\Local\Temp\b6effd527b53cdea520eb568180e71c0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd008.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:2352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0F761EC7ce.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh34001.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\b6effd527b53cdea520eb568180e71c0.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\0F761EC7ce.dll

Filesize
10KB

MD5
f1f49fb85ab029ad86c02ebecb892b12

SHA1
664a602f8e843218c1158571714cd0adee1da939

SHA256
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13

SHA512
600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673

Download Submit
\Program Files\Common Files\whh34001.ocx

Filesize
63KB

MD5
894cf09341b081609775a57ae205117f

SHA1
cf3604eaad83596024536b324cc4f0aef4d0a084

SHA256
6a45fb2ba35fa038839996cb6ba47001a1109a9ae1765812003b579bc0c9829d

SHA512
80bb45f331586f742b56239695e7e7304647c39cc09339459f2315ff88e05609f27637aea13120b5254b978ef9047513f36d7d2df69d013022d698879bf5bf45

Download Submit
\Windows\SysWOW64\whhfd008.ocx

Filesize
14KB

MD5
731659d09654891912ac223e20cd10ab

SHA1
13cee04adc7b09ef1c0c6b9abc02d0c7bc02a071

SHA256
672639ce00081bdd6b6ee69e1bc816d0b353ed9713b5a21bac6009907daf3d3b

SHA512
e2b63a180ff6a9ef523f21a9afe9f71f612f617fbab5b791f763c8bccab14d8cb1986729fadba4bc5f29fe9813766bcb88168018f8c6571ec72efc69639f1116

Download Submit
memory/756-0-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/756-7-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1768-21-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/1768-22-0x0000000002270000-0x0000000002485000-memory.dmp

Filesize
2.1MB

Download
memory/2352-19-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2352-20-0x0000000002140000-0x0000000002355000-memory.dmp

Filesize
2.1MB

Download
memory/2352-23-0x0000000002140000-0x0000000002355000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing