a18c6a7874427f906d993fb6477ae7afe1e87fd1173472a491183835ffc5db3c

General

Target

cc5ca1740e1e3d8acf75a7ad956c8179.exe
Size

1003KB
MD5

cc5ca1740e1e3d8acf75a7ad956c8179
SHA1

311f81785d34b5a81d636eb8bf99ceb02afa464a
SHA256

a18c6a7874427f906d993fb6477ae7afe1e87fd1173472a491183835ffc5db3c
SHA512

73e7fefdafd2b36d529cd81b04d0acfad71dcc73a84bb27106db6eed7a37cb5221e09a5508eac554f36794e61952a5094a1361ce77d3f867b5c7d6490d9bbb1b
SSDEEP

24576:hp41XPhpOMQZjyP6St0x9H+aFLsQnxjml9MeiK:hp41XPhpObZ2P6St0xYaFL/nxAX

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-6-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000a000000013a71-17.dat	upx
behavioral1/memory/2392-16-0x0000000022EA0000-0x00000000230FC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe
3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3060	2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe	29
PID 2392 wrote to memory of 3060	2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe	29
PID 2392 wrote to memory of 3060	2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe	29
PID 2392 wrote to memory of 3060	2392	cc5ca1740e1e3d8acf75a7ad956c8179.exe	29
PID 3060 wrote to memory of 2596	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	30
PID 3060 wrote to memory of 2596	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	30
PID 3060 wrote to memory of 2596	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	30
PID 3060 wrote to memory of 2596	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	30
PID 3060 wrote to memory of 2660	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	32
PID 3060 wrote to memory of 2660	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	32
PID 3060 wrote to memory of 2660	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	32
PID 3060 wrote to memory of 2660	3060	cc5ca1740e1e3d8acf75a7ad956c8179.exe	32
PID 2660 wrote to memory of 2720	2660	cmd.exe	34
PID 2660 wrote to memory of 2720	2660	cmd.exe	34
PID 2660 wrote to memory of 2720	2660	cmd.exe	34
PID 2660 wrote to memory of 2720	2660	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cc5ca1740e1e3d8acf75a7ad956c8179.exe
"C:\Users\Admin\AppData\Local\Temp\cc5ca1740e1e3d8acf75a7ad956c8179.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\cc5ca1740e1e3d8acf75a7ad956c8179.exe
  C:\Users\Admin\AppData\Local\Temp\cc5ca1740e1e3d8acf75a7ad956c8179.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cc5ca1740e1e3d8acf75a7ad956c8179.exe" /TN 6ek6uOO9da42 /F
    3⤵
    - Creates scheduled task(s)
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 6ek6uOO9da42 > C:\Users\Admin\AppData\Local\Temp\xwAluJhn.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 6ek6uOO9da42
      4⤵
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc5ca1740e1e3d8acf75a7ad956c8179.exe

Filesize
1003KB

MD5
3751ef8129cc37d7fa4e29b471e9c2f9

SHA1
c4f7f38b22d41f94f035cc396f2d5c366cabc425

SHA256
4afbd8a690ba4c4a6008be7ecb8e1b1801f2641416bcfe7161888262b696eed1

SHA512
4bb7de85ebff79c2ea45f46aaf43b858b39187785d5d79d8a8d0f60b2f552a21efcf614a3c73be28bfdaa4073837dc50a8d5395ceacdba7164d5d7b014e5de28

Download Submit
memory/2392-6-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2392-10-0x0000000000360000-0x00000000003DE000-memory.dmp

Filesize
504KB

Download
memory/2392-16-0x0000000022EA0000-0x00000000230FC000-memory.dmp

Filesize
2.4MB

Download
memory/2392-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2392-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2392-36-0x0000000022EA0000-0x00000000230FC000-memory.dmp

Filesize
2.4MB

Download
memory/3060-19-0x0000000022DF0000-0x0000000022E6E000-memory.dmp

Filesize
504KB

Download
memory/3060-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3060-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3060-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3060-37-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads