a6b63a542c26ec06422dc09284ea54fd42fcd4abc47aad802a8e1450a7df782d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 15:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7c169f04389544ed1eec98a2ada3649.exe
Size

594KB
MD5

b7c169f04389544ed1eec98a2ada3649
SHA1

99bc8402811e553d19e26c1cd705b595cee3db2d
SHA256

a6b63a542c26ec06422dc09284ea54fd42fcd4abc47aad802a8e1450a7df782d
SHA512

3bbf0da1f307979322deced1852852caf95210db6312e4cff96aa59056b6660c73062874bfc5f2678b727ea28c581abfb17ded378f258608a99fd57234aa6818
SSDEEP

6144:FYd+FcoaFmsBxybFgqe+l6ohKB9RtHCJj73a07ZZFwKfpmxm90D8:ud+FcoaNBxyb7lwKj73aqZZF/xm/8

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
2460	apocalyps32.exe
3020	apocalyps32.exe

Loads dropped DLL 1 IoCs

pid	Process
2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-16-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-18-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-22-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-25-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-27-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-26-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-30-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2688-33-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/3020-53-0x0000000040010000-0x000000004004C000-memory.dmp	upx
behavioral1/memory/3020-56-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2460 set thread context of 3020	2460	apocalyps32.exe	31

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
2460	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2552	1984	b7c169f04389544ed1eec98a2ada3649.exe	28
PID 1984 wrote to memory of 2552	1984	b7c169f04389544ed1eec98a2ada3649.exe	28
PID 1984 wrote to memory of 2552	1984	b7c169f04389544ed1eec98a2ada3649.exe	28
PID 1984 wrote to memory of 2552	1984	b7c169f04389544ed1eec98a2ada3649.exe	28
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2552 wrote to memory of 2688	2552	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	29
PID 2688 wrote to memory of 1212	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	21
PID 2688 wrote to memory of 1212	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	21
PID 2688 wrote to memory of 1212	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	21
PID 2688 wrote to memory of 2460	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	30
PID 2688 wrote to memory of 2460	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	30
PID 2688 wrote to memory of 2460	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	30
PID 2688 wrote to memory of 2460	2688	cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	30
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 2460 wrote to memory of 3020	2460	apocalyps32.exe	31
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32
PID 3020 wrote to memory of 2456	3020	apocalyps32.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\b7c169f04389544ed1eec98a2ada3649.exe
  "C:\Users\Admin\AppData\Local\Temp\b7c169f04389544ed1eec98a2ada3649.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    C:\Users\Admin\AppData\Local\Temp\cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      C:\Users\Admin\AppData\Local\Temp\cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\apocalyps32.exe
        
        -bs
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\apocalyps32.exe
        
        C:\Windows\apocalyps32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cwho1werzoh.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Filesize
484KB

MD5
449e608f2a335214c5be5f75da5e274b

SHA1
9f1525066b8b477ec63389bc5a4bcad41c44f3b2

SHA256
3be00567469b87b48c584abaad921de3e5b8a87a0abe3cd419bec49aac480c47

SHA512
b38030effba34d93ea2ac95aba2318e9a50986f5fa0d22a472ca2f499410f97b45084ed280501a2e83ea91f6d7fbebf1153ab7399cd984f942791c9d495aa9b8

Download Submit
memory/1212-28-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1984-3-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/1984-1-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/1984-0-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1984-29-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2688-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-27-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-30-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2688-33-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3020-53-0x0000000040010000-0x000000004004C000-memory.dmp

Filesize
240KB

Download
memory/3020-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download