d006949ada27d9c72fd6f6a2e987bec0d620f55a5794d6e7537d14777858e9e7

General

Target

c821288e845f1b9caa1d8de70949ca57.exe
Size

47KB
MD5

c821288e845f1b9caa1d8de70949ca57
SHA1

416399b198a968881168c48ec71f57f4209b76ce
SHA256

d006949ada27d9c72fd6f6a2e987bec0d620f55a5794d6e7537d14777858e9e7
SHA512

fdcca5e48cc95415253bd5dbea922f51c505f0153922d55a2c5998ea8c98b14acfcdf6d44f45b6b256f00a3d58d644a7ed5194a141b32206e02c817ac3949330
SSDEEP

768:+TNR61NTTRTQC1iKZ/tC59qdtPWTFdVYFbq36EQtin2O5bmKBvk02/6:+TL61lTxQCJ/M34PW+lq36TU2OJbBviS

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2232	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2084	rundll32.exe
2232	rundll32.exe
2080	rundll32.exe
2084	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-6-0x0000000000400000-0x000000000061C000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd008.ocx	c821288e845f1b9caa1d8de70949ca57.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\0F767713ce.dll	c821288e845f1b9caa1d8de70949ca57.exe
File opened for modification	C:\Program Files\Common Files\0F767713ce.dll	c821288e845f1b9caa1d8de70949ca57.exe
File created	C:\Program Files\Common Files\whh15013.ocx	c821288e845f1b9caa1d8de70949ca57.exe
File opened for modification	C:\Program Files\Common Files\whh15013.ocx	c821288e845f1b9caa1d8de70949ca57.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2080	rundll32.exe
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2080	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2084	1152	c821288e845f1b9caa1d8de70949ca57.exe	28
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2080	1152	c821288e845f1b9caa1d8de70949ca57.exe	29
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30
PID 1152 wrote to memory of 2232	1152	c821288e845f1b9caa1d8de70949ca57.exe	30

C:\Users\Admin\AppData\Local\Temp\c821288e845f1b9caa1d8de70949ca57.exe
"C:\Users\Admin\AppData\Local\Temp\c821288e845f1b9caa1d8de70949ca57.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd008.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:2084
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0F767713ce.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh15013.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\c821288e845f1b9caa1d8de70949ca57.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\whh15013.ocx

Filesize
55KB

MD5
db8b8cbe844b6804ad5db101431cdfbb

SHA1
a12be10bf0b8571a72c4213766aa75713c0d8f67

SHA256
fb27f5cea348b565b4f9cca526e6ed901af40ee782b15fe77f9536999d93fe85

SHA512
1759f33c22deac0fddd14aa9f130d75c5d6922ea75c67d1fbab7d1431b21b88723ff745918d72df812eb482f86468a928cb89c0e621adda44527dcd21da0dc68

Download Submit
C:\Windows\SysWOW64\whhfd008.ocx

Filesize
14KB

MD5
731659d09654891912ac223e20cd10ab

SHA1
13cee04adc7b09ef1c0c6b9abc02d0c7bc02a071

SHA256
672639ce00081bdd6b6ee69e1bc816d0b353ed9713b5a21bac6009907daf3d3b

SHA512
e2b63a180ff6a9ef523f21a9afe9f71f612f617fbab5b791f763c8bccab14d8cb1986729fadba4bc5f29fe9813766bcb88168018f8c6571ec72efc69639f1116

Download Submit
\Program Files\Common Files\0F767713ce.dll

Filesize
10KB

MD5
f1f49fb85ab029ad86c02ebecb892b12

SHA1
664a602f8e843218c1158571714cd0adee1da939

SHA256
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13

SHA512
600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673

Download Submit
memory/1152-6-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2080-19-0x0000000002170000-0x0000000002383000-memory.dmp

Filesize
2.1MB

Download
memory/2080-23-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2080-24-0x0000000002170000-0x0000000002383000-memory.dmp

Filesize
2.1MB

Download
memory/2084-20-0x0000000001E30000-0x0000000002043000-memory.dmp

Filesize
2.1MB

Download
memory/2084-22-0x0000000001E30000-0x0000000002043000-memory.dmp

Filesize
2.1MB

Download
memory/2232-21-0x0000000010000000-0x0000000010213000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing