28384587434989df15f8c74201ee3d29e10374c5c9646a070d2948d4ca94052f

General

Target

c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
Size

309KB
MD5

c9efdd0ee4aa9e56e8adcd9d6ad40837
SHA1

e96de10714e9e69339d2629661923c4842c59e24
SHA256

28384587434989df15f8c74201ee3d29e10374c5c9646a070d2948d4ca94052f
SHA512

6233c1eb60c000ab0497da92e6513f47ffb58c211c37944bdb9e7014b3f8712b9b5666827cc595c718309c250a0765a625d7ebde9ea93dcddc01eb3106ef8342
SSDEEP

6144:o8ldhm4x6FxHwjstWzUtJnbfvWSKpQ+jOvYBTObn3w01oov0KAb:lldcGEHwYiaJzWMAOvyq51olKAb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2488	.exe
2392	.exe
304	.exe

Loads dropped DLL 4 IoCs

pid	Process
2908	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
2908	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
2488	.exe
2392	.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2908-10-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-12-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-14-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-19-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2332-20-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2908-21-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-22-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-24-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-25-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-29-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2908-32-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/files/0x000300000000b1f3-38.dat	upx
behavioral1/memory/2488-69-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2908-68-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2392-72-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2392-73-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2392-77-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2392-87-0x0000000000390000-0x0000000000399000-memory.dmp	upx
behavioral1/memory/2392-91-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/304-93-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TMP32$1.Nil	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
File created	C:\Windows\SysWOW64\TMP32$26---	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
File created	C:\Windows\SysWOW64\TMP32$1.Nil	.exe
File created	C:\Windows\SysWOW64\TMP32$26---	.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2488 set thread context of 2392	2488	.exe	32

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
2488	.exe
304	.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2332 wrote to memory of 2908	2332	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	28
PID 2908 wrote to memory of 2488	2908	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	31
PID 2908 wrote to memory of 2488	2908	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	31
PID 2908 wrote to memory of 2488	2908	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	31
PID 2908 wrote to memory of 2488	2908	c9efdd0ee4aa9e56e8adcd9d6ad40837.exe	31
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2488 wrote to memory of 2392	2488	.exe	32
PID 2392 wrote to memory of 304	2392	.exe	33
PID 2392 wrote to memory of 304	2392	.exe	33
PID 2392 wrote to memory of 304	2392	.exe	33
PID 2392 wrote to memory of 304	2392	.exe	33

C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
"C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
  C:\Users\Admin\AppData\Local\Temp\c9efdd0ee4aa9e56e8adcd9d6ad40837.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\.exe
    .exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\.exe
      C:\Users\Admin\AppData\Local\Temp\.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\.exe
        
        .exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TMP32$26---

Filesize
3.8MB

MD5
816bfd02f0b5e2cf41e57379d9812694

SHA1
d84a9a9bdd03a95b55ae27a9d71b801651bd1405

SHA256
533aaf7c4a429cd6cfd89287bdc1f8acad603c5b44164798d1cde0cba468fce1

SHA512
064c90614a50e9df684d200afbbd206d2a819324e2ce641d34404a0d11613dd721879d8907239f763eb095c04609ed5199fd3279a1b79245de23bf16f65540e6

Download Submit
\Users\Admin\AppData\Local\Temp\.exe

Filesize
309KB

MD5
c9efdd0ee4aa9e56e8adcd9d6ad40837

SHA1
e96de10714e9e69339d2629661923c4842c59e24

SHA256
28384587434989df15f8c74201ee3d29e10374c5c9646a070d2948d4ca94052f

SHA512
6233c1eb60c000ab0497da92e6513f47ffb58c211c37944bdb9e7014b3f8712b9b5666827cc595c718309c250a0765a625d7ebde9ea93dcddc01eb3106ef8342

Download Submit
memory/304-93-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2332-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2332-9-0x0000000000290000-0x0000000000299000-memory.dmp

Filesize
36KB

Download
memory/2332-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2392-77-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2392-85-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2392-87-0x0000000000390000-0x0000000000399000-memory.dmp

Filesize
36KB

Download
memory/2392-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2392-73-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2392-72-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2392-91-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2488-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2908-27-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2908-22-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-32-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-36-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2908-25-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-45-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2908-24-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-68-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-23-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2908-29-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-21-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-19-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-14-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2908-12-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-10-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2908-7-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing