6027a80b8f3b5f4c24ca557e0a45eb8214edd10c6bc245d2423dc34dfcc79d8e

General

Target

c71b92c5b27400cc09927f865f7de13d.exe
Size

907KB
MD5

c71b92c5b27400cc09927f865f7de13d
SHA1

deed466ac916a02607b496b22479d5dfec1ed92c
SHA256

6027a80b8f3b5f4c24ca557e0a45eb8214edd10c6bc245d2423dc34dfcc79d8e
SHA512

d226ba35875fab84dc81f3afda7a047c8acd3f87632c77721e29c057ea987bc2b1bb87fa1fad37ebf04c605f1d1175f3c873712b95e8fb1dee20334dc99c9da3
SSDEEP

24576:BOvwGqD8p+bmfe0LBcZEtEl/D9sJePRwBY:QyW+0exlb9sJePWq

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
2660	c71b92c5b27400cc09927f865f7de13d.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000C50000-0x0000000000F01000-memory.dmp	upx
behavioral1/files/0x000e000000014698-2.dat	upx
behavioral1/memory/2660-4-0x00000000025E0000-0x0000000002891000-memory.dmp	upx
behavioral1/memory/2660-8-0x0000000000C50000-0x0000000000F01000-memory.dmp	upx
behavioral1/memory/2744-9-0x0000000000C50000-0x0000000000F01000-memory.dmp	upx
behavioral1/memory/2744-14-0x0000000000C50000-0x0000000000F01000-memory.dmp	upx
behavioral1/files/0x000e000000014698-15.dat	upx
behavioral1/files/0x000e000000014698-22.dat	upx
behavioral1/files/0x000e000000014698-21.dat	upx
behavioral1/files/0x000e000000014698-20.dat	upx
behavioral1/files/0x000e000000014698-18.dat	upx
behavioral1/files/0x000e000000014698-17.dat	upx
behavioral1/files/0x000e000000014698-16.dat	upx
behavioral1/memory/2744-24-0x0000000000C50000-0x0000000000F01000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	2744	WerFault.exe	28

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2660	c71b92c5b27400cc09927f865f7de13d.exe
2660	c71b92c5b27400cc09927f865f7de13d.exe
2744	setup.exe
2744	setup.exe
2744	setup.exe
2744	setup.exe
2744	setup.exe
2744	setup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2660 wrote to memory of 2744	2660	c71b92c5b27400cc09927f865f7de13d.exe	28
PID 2744 wrote to memory of 2740	2744	setup.exe	30
PID 2744 wrote to memory of 2740	2744	setup.exe	30
PID 2744 wrote to memory of 2740	2744	setup.exe	30
PID 2744 wrote to memory of 2740	2744	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\c71b92c5b27400cc09927f865f7de13d.exe
"C:\Users\Admin\AppData\Local\Temp\c71b92c5b27400cc09927f865f7de13d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 760
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
64KB

MD5
b1588f13f1b7227945fea3c9a271ecfc

SHA1
6db7fafc0622179d58d41ac5d4232be73f409765

SHA256
2c79404eafb190c6bb4028697f395c22f43193768a91c62719eb46371452891b

SHA512
6656a7d2acbbdead2eedf006b1a04c29e2f0833f4a94ba53369f525145687db80a05300e659ad57ede19f748b2a93ad63499baf92928357c768413dd3a3c1e89

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
795KB

MD5
7552215b865da3acd66a48d84359f98e

SHA1
9e531868e0bc493c9f72d7c2ad25507d407877d7

SHA256
9ff686441a9294832dd75c1b49cc5bb086130a35113124691d09bd10903e1414

SHA512
e6872011d4367b446fcfdaa250f4749c306cda6f7f626ec2b022e91285e410b165dbb8ebf1ba231ac12366d5eab2231694dfc97c16d31f76a82b85375a20c40f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
776KB

MD5
70ea351872a115bfa00c712c94c961cb

SHA1
3fcd0d11af2e16e1310782b12a8b576b1df879fc

SHA256
ce18183b84f9ad2d92f113437c260d1e6847dbea645d782ad0db30427a34bcd1

SHA512
e2e4d98c5dd0a152a16e8acc0bf562957b71b3ac808a110336afe275879fe21b50e0f20b626274e4b7fb373add7f02fcfb02403d3693ff7912cb50cd0916f153

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
733KB

MD5
fcecef880bd798853b0b13808682a180

SHA1
cf8a86de9f5f776aec0b129e95796ea78f2c6481

SHA256
d1c561566c987417793b085da5e12c658ec6632532f429f6ccec77728862f60b

SHA512
56c78e0496defab0089c4424df3169594d8371423951e41a8442c73aa387366c6baf56b0cebc2642adb198d6a0ec4a61e5a837224db830369e30a2c42090d4f7

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
907KB

MD5
c71b92c5b27400cc09927f865f7de13d

SHA1
deed466ac916a02607b496b22479d5dfec1ed92c

SHA256
6027a80b8f3b5f4c24ca557e0a45eb8214edd10c6bc245d2423dc34dfcc79d8e

SHA512
d226ba35875fab84dc81f3afda7a047c8acd3f87632c77721e29c057ea987bc2b1bb87fa1fad37ebf04c605f1d1175f3c873712b95e8fb1dee20334dc99c9da3

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
704KB

MD5
05fc767506b6c21af7796e604cd46cf8

SHA1
86071968f50eab13e426ec1457c59c1a92873bb2

SHA256
ec085bc338a99ca4ff607ecfc6c8df918655c433e6f71e22f17c907295d12722

SHA512
5094b30e1691215dfe6a724ec3f2312c35503ade06ba8047820b8f0c185e11ca5f2367918177e2fe426c6815dfdb3cfdfed5c47e85bcc47c98f4d910e048ffb4

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
701KB

MD5
6a9ed0cf0bd327f70ce8433d0367cd7e

SHA1
bab4f7e0b2652733a1d1a809b635fdf33260fd5d

SHA256
90410dfee6c427d9eddbd7c8c70e72a98133652a2ef732803bbf62671df3692c

SHA512
844d63bc520629be69b6b5b90b11dd4bbd182c83ed413ac102f827c6f80463834dff5223322b57a1288b7530bbaa938531e5f2dc3c884667adfdd60c5853464d

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
640KB

MD5
712b78742ca0c1e90529e09dc3149f68

SHA1
c9a93e4fec9848d09ca7b3eb874f16fc1676323a

SHA256
2c280c545ee1132dc601be46e8738ce58b2dff9c0cec6ca1471f65f4dc4df674

SHA512
1b10c018c8d55ff8161745c2966facc7748b59d7bce61e18cfbc6ffbaa865e04d5383620d1178fcddc48e58b5a2b5fc21474598662bb177f4e4b73e43203b619

Download Submit
memory/2660-0-0x0000000000C50000-0x0000000000F01000-memory.dmp

Filesize
2.7MB

Download
memory/2660-8-0x0000000000C50000-0x0000000000F01000-memory.dmp

Filesize
2.7MB

Download
memory/2660-4-0x00000000025E0000-0x0000000002891000-memory.dmp

Filesize
2.7MB

Download
memory/2660-25-0x00000000025E0000-0x0000000002891000-memory.dmp

Filesize
2.7MB

Download
memory/2744-14-0x0000000000C50000-0x0000000000F01000-memory.dmp

Filesize
2.7MB

Download
memory/2744-9-0x0000000000C50000-0x0000000000F01000-memory.dmp

Filesize
2.7MB

Download
memory/2744-24-0x0000000000C50000-0x0000000000F01000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing