a6b63a542c26ec06422dc09284ea54fd42fcd4abc47aad802a8e1450a7df782d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 15:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7c169f04389544ed1eec98a2ada3649.exe
Size

594KB
MD5

b7c169f04389544ed1eec98a2ada3649
SHA1

99bc8402811e553d19e26c1cd705b595cee3db2d
SHA256

a6b63a542c26ec06422dc09284ea54fd42fcd4abc47aad802a8e1450a7df782d
SHA512

3bbf0da1f307979322deced1852852caf95210db6312e4cff96aa59056b6660c73062874bfc5f2678b727ea28c581abfb17ded378f258608a99fd57234aa6818
SSDEEP

6144:FYd+FcoaFmsBxybFgqe+l6ohKB9RtHCJj73a07ZZFwKfpmxm90D8:ud+FcoaNBxyb7lwKj73aqZZF/xm/8

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
1568	apocalyps32.exe
1188	apocalyps32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3876-15-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3876-18-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3876-20-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3876-21-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3876-24-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1188-33-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1188-35-0x0000000040010000-0x000000004004C000-memory.dmp	upx
behavioral2/memory/1188-38-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 1568 set thread context of 1188	1568	apocalyps32.exe	94

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
1568	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 2148	4452	b7c169f04389544ed1eec98a2ada3649.exe	91
PID 4452 wrote to memory of 2148	4452	b7c169f04389544ed1eec98a2ada3649.exe	91
PID 4452 wrote to memory of 2148	4452	b7c169f04389544ed1eec98a2ada3649.exe	91
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 2148 wrote to memory of 3876	2148	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	92
PID 3876 wrote to memory of 3384	3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	56
PID 3876 wrote to memory of 3384	3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	56
PID 3876 wrote to memory of 3384	3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	56
PID 3876 wrote to memory of 1568	3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	93
PID 3876 wrote to memory of 1568	3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	93
PID 3876 wrote to memory of 1568	3876	arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	93
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1568 wrote to memory of 1188	1568	apocalyps32.exe	94
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95
PID 1188 wrote to memory of 1592	1188	apocalyps32.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\b7c169f04389544ed1eec98a2ada3649.exe
  "C:\Users\Admin\AppData\Local\Temp\b7c169f04389544ed1eec98a2ada3649.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    C:\Users\Admin\AppData\Local\Temp\arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      C:\Users\Admin\AppData\Local\Temp\arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\apocalyps32.exe
        
        -bs
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\apocalyps32.exe
        
        C:\Windows\apocalyps32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arspgxpfm0e.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Filesize
484KB

MD5
449e608f2a335214c5be5f75da5e274b

SHA1
9f1525066b8b477ec63389bc5a4bcad41c44f3b2

SHA256
3be00567469b87b48c584abaad921de3e5b8a87a0abe3cd419bec49aac480c47

SHA512
b38030effba34d93ea2ac95aba2318e9a50986f5fa0d22a472ca2f499410f97b45084ed280501a2e83ea91f6d7fbebf1153ab7399cd984f942791c9d495aa9b8

Download Submit
memory/1188-38-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1188-35-0x0000000040010000-0x000000004004C000-memory.dmp

Filesize
240KB

Download
memory/1188-33-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-24-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-21-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-20-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4452-4-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/4452-8-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/4452-7-0x000000001C400000-0x000000001C44C000-memory.dmp

Filesize
304KB

Download
memory/4452-6-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/4452-5-0x000000001C2D0000-0x000000001C36C000-memory.dmp

Filesize
624KB

Download
memory/4452-0-0x000000001B750000-0x000000001B7F6000-memory.dmp

Filesize
664KB

Download
memory/4452-22-0x00007FF9BA100000-0x00007FF9BAAA1000-memory.dmp

Filesize
9.6MB

Download
memory/4452-2-0x000000001BD60000-0x000000001C22E000-memory.dmp

Filesize
4.8MB

Download
memory/4452-3-0x00007FF9BA100000-0x00007FF9BAAA1000-memory.dmp

Filesize
9.6MB

Download
memory/4452-1-0x00007FF9BA100000-0x00007FF9BAAA1000-memory.dmp

Filesize
9.6MB

Download