4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233

General

Target

4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
Size

3.5MB
MD5

021ce3bb6c54febd1cf531e1e07ba08c
SHA1

079f83d244c90044699302daeec1165aff4b3280
SHA256

4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233
SHA512

37faf6d63f1eff641cb4daefe8d3cd96f2a8480d322ea7e1d7d08779e4095c45d054888bda3eb6a4e7b063787b70e527096a2ac4848ffe6fa4cf142e238be2e7
SSDEEP

49152:6dQ4omSYtiblkFLMYzIcE1x4MjjYp30g0KKpF1cER3iRHFdAQupummsDLlhySYJi:uQxmb+SpjxB0NpF6a37uuR0JxF5+F

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 37 IoCs

resource	yara_rule
behavioral2/memory/4392-0-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/files/0x00070000000231ec-6.dat	UPX
behavioral2/memory/1996-14-0x0000000000DC0000-0x00000000024AF000-memory.dmp	UPX
behavioral2/memory/1996-13-0x0000000000DC0000-0x00000000024AF000-memory.dmp	UPX
behavioral2/memory/2576-17-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-18-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-19-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2576-20-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2576-25-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-26-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-27-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-28-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-29-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-31-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-32-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-33-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-34-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-35-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-36-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-37-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-38-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-39-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-40-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-41-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-42-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-43-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-44-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-45-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-46-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-47-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-48-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-49-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-50-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-51-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-52-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/4392-53-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX
behavioral2/memory/2100-54-0x0000000000360000-0x0000000001A4F000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
1996	uqqtbnmlgqoceoxbsondgckusejeecn-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4392-0-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/files/0x00070000000231ec-6.dat	upx
behavioral2/memory/1996-14-0x0000000000DC0000-0x00000000024AF000-memory.dmp	upx
behavioral2/memory/1996-13-0x0000000000DC0000-0x00000000024AF000-memory.dmp	upx
behavioral2/memory/2576-17-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-18-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-19-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2576-20-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2576-25-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-26-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-27-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-28-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-29-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-31-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-32-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-33-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-34-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-35-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-36-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-37-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-38-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-39-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-40-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-41-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-42-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-43-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-44-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-45-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-46-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-47-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-48-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-49-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-50-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-51-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-52-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/4392-53-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx
behavioral2/memory/2100-54-0x0000000000360000-0x0000000001A4F000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe = "11001"	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe = "11001"	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2576	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4392	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
2100	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 2100	4392	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe	90
PID 4392 wrote to memory of 2100	4392	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe	90
PID 4392 wrote to memory of 2100	4392	4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe	90

C:\Users\Admin\AppData\Local\Temp\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
"C:\Users\Admin\AppData\Local\Temp\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
  "C:\Users\Admin\AppData\Local\Temp\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe" -gpipe \\.\pipe\PCommand97gmlhdifctjhdplh -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe
  "C:\Users\Admin\AppData\Local\Temp\4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233.exe" -cpipe \\.\pipe\PCommand96xguvgcoiwvjwwml -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576

C:\ProgramData\Getscreen.me\uqqtbnmlgqoceoxbsondgckusejeecn-elevate.exe
"C:\ProgramData\Getscreen.me\uqqtbnmlgqoceoxbsondgckusejeecn-elevate.exe" -elevate \\.\pipe\elevateGS512uqqtbnmlgqoceoxbsondgckusejeecn
1⤵
- Executes dropped EXE
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\logs\20240308.log

Filesize
726B

MD5
e1407acc4bc5429228b21d5ff69f6c4b

SHA1
644396a7c87c1db7a9c540786f3086137a581193

SHA256
000aad93b015fae8d93db6a21d5ad4568aff719c578db82415178a0c8eaa2b9f

SHA512
d14b71bf50ea4726614e09c86efab12bf01098541f28a6a072beb717c1465429653cfa587b3172e99fb93124cdec10668a1c0ba9a70eba4a08e6004d79a306e9

Download Submit
C:\ProgramData\Getscreen.me\logs\20240308.log

Filesize
2KB

MD5
1af9d5122a6aeb870ef5b1a03809ae47

SHA1
cb07350d68f27c9cf94b2d2d30ca9d74e9e60a8d

SHA256
ecab88695b0257432e66214aa0fb4b05494a5bbabaa1703734b6575cc52c9bf1

SHA512
cb9fe2fa6220fdf4b9438858b838b4aff172d86691a231dbed327c7bef6ce851134d711f17304ba7ae0523c3c893bbe7f6e0b31fa499bfbde68ec57140998406

Download Submit
C:\ProgramData\Getscreen.me\logs\20240308.log

Filesize
261B

MD5
a46d86438d84e35ec64d0297efb47ce1

SHA1
7d75297ab6af7bdec776df1cb81a3a7ee096602d

SHA256
2c1afab81564b2c24d20ca1c2b2553f0b18959e26e5b9d1e78c75e90e55468c3

SHA512
da484a0475cc3c3d846dfd430c96d0f50b04b9b4bb7ce0a6b178ac38d16027c2ea01fa5b4ffe61d797ef9c3b783b57d6df10a8409a0204a5cee2163a87c93288

Download Submit
C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96xguvgcoiwvjwwml0

Filesize
16.0MB

MD5
101aca71a5fc6af598fd222b4e42e0f3

SHA1
2e78790bae422cbd054cdf784927ad1780ca6456

SHA256
a10f2a41cdf8e666028d7b6e8f2fcfd1d9dc45e49b35ac16f59e1f496168b68e

SHA512
2fedcca5deb237617bd3cb3008d827b0f1530525b4782beb74ad32d0b37b22ad67b860a462013188022a4137cdc486972b36d9915c1f30101079df7312902f9e

Download Submit
C:\ProgramData\Getscreen.me\uqqtbnmlgqoceoxbsondgckusejeecn-elevate.exe

Filesize
3.5MB

MD5
021ce3bb6c54febd1cf531e1e07ba08c

SHA1
079f83d244c90044699302daeec1165aff4b3280

SHA256
4c8804f56b1507a064b51ece229e192613527d5c6077fcc930d53711e89f3233

SHA512
37faf6d63f1eff641cb4daefe8d3cd96f2a8480d322ea7e1d7d08779e4095c45d054888bda3eb6a4e7b063787b70e527096a2ac4848ffe6fa4cf142e238be2e7

Download Submit
memory/1996-14-0x0000000000DC0000-0x00000000024AF000-memory.dmp

Filesize
22.9MB

Download
memory/1996-13-0x0000000000DC0000-0x00000000024AF000-memory.dmp

Filesize
22.9MB

Download
memory/2100-34-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-38-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-54-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-19-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-52-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-50-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-48-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-46-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-28-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-29-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-44-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-32-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-42-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-40-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2100-36-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2576-25-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2576-20-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/2576-17-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-31-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-27-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-41-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-33-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-43-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-35-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-45-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-0-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-47-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-26-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-49-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-39-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-51-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-37-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-53-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download
memory/4392-18-0x0000000000360000-0x0000000001A4F000-memory.dmp

Filesize
22.9MB

Download

Analysis

Sharing