0d1c07b10bba6b4002deab33c3b364fb424f7bb4645a7dc41f26fbf7af24f28e

General

Target

c02db8d864f33002c15d2b5ebf8e3777.exe
Size

45KB
MD5

c02db8d864f33002c15d2b5ebf8e3777
SHA1

af787f7a5e3e9a4a4f5ead4317b2ee95854ea72a
SHA256

0d1c07b10bba6b4002deab33c3b364fb424f7bb4645a7dc41f26fbf7af24f28e
SHA512

38ed8cce15baa28d9d62a05a67e1c6fcab9c92b20a013e17ccec8920019af1758b141bb8857ad65b14f99de1efcc39dbf9f12dd41b056c103a55cdaf3c9b1a88
SSDEEP

768:cTNR61NTTRWUeO3lf5hVSjdIyndpUf4g6J3ie5gBBddNraXHCsWj+:cTL61lTs9WfHVAMQMe5gBXKHC3+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2924	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2848	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe
2924	rundll32.exe
2848	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-6-0x0000000000400000-0x000000000061C000-memory.dmp	upx
behavioral1/memory/2376-7-0x0000000000400000-0x000000000061C000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd008.ocx	c02db8d864f33002c15d2b5ebf8e3777.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\0F7640D7ce.dll	c02db8d864f33002c15d2b5ebf8e3777.exe
File opened for modification	C:\Program Files\Common Files\0F7640D7ce.dll	c02db8d864f33002c15d2b5ebf8e3777.exe
File created	C:\Program Files\Common Files\whh09009.ocx	c02db8d864f33002c15d2b5ebf8e3777.exe
File opened for modification	C:\Program Files\Common Files\whh09009.ocx	c02db8d864f33002c15d2b5ebf8e3777.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2924	rundll32.exe
2924	rundll32.exe
2924	rundll32.exe
2924	rundll32.exe
2924	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2848	rundll32.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2848	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2668	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	28
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2848	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	29
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30
PID 2376 wrote to memory of 2924	2376	c02db8d864f33002c15d2b5ebf8e3777.exe	30

C:\Users\Admin\AppData\Local\Temp\c02db8d864f33002c15d2b5ebf8e3777.exe
"C:\Users\Admin\AppData\Local\Temp\c02db8d864f33002c15d2b5ebf8e3777.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd008.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:2668
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0F7640D7ce.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh09009.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\c02db8d864f33002c15d2b5ebf8e3777.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\whhfd008.ocx

Filesize
14KB

MD5
731659d09654891912ac223e20cd10ab

SHA1
13cee04adc7b09ef1c0c6b9abc02d0c7bc02a071

SHA256
672639ce00081bdd6b6ee69e1bc816d0b353ed9713b5a21bac6009907daf3d3b

SHA512
e2b63a180ff6a9ef523f21a9afe9f71f612f617fbab5b791f763c8bccab14d8cb1986729fadba4bc5f29fe9813766bcb88168018f8c6571ec72efc69639f1116

Download Submit
\Program Files\Common Files\0F7640D7ce.dll

Filesize
10KB

MD5
f1f49fb85ab029ad86c02ebecb892b12

SHA1
664a602f8e843218c1158571714cd0adee1da939

SHA256
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13

SHA512
600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673

Download Submit
\Program Files\Common Files\whh09009.ocx

Filesize
54KB

MD5
0197fee0061fe3b418c6cfcadd30b70a

SHA1
f10401b3ee949218f4bef3064199c94090ad895c

SHA256
0b3ede88c7f8357e2689f91cdd699e8b6ab0eb3776f422b6ad6ed522a63dfc85

SHA512
359f1c860e6accec43f5bf3a2ccbf7886ad63b120d9ce5c16118d40071b3f1af959975b936f6f1a53003b124883f6d23108f5f836b6cfa27b96e70a9725f4e1c

Download Submit
memory/2376-6-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2376-7-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2668-22-0x0000000002020000-0x0000000002232000-memory.dmp

Filesize
2.1MB

Download
memory/2848-17-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2848-21-0x0000000001EF0000-0x0000000002102000-memory.dmp

Filesize
2.1MB

Download
memory/2924-20-0x0000000010000000-0x0000000010212000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing