8901baa34991288cda9c10737d45af9058c9e3c37317fc7d4a9d6cc9aad38e5f

General

Target

d732dd0b4d4737902615cb087439d752.exe
Size

22KB
MD5

d732dd0b4d4737902615cb087439d752
SHA1

137b2d0e7f7cde811443241df4d12bb0c59dee56
SHA256

8901baa34991288cda9c10737d45af9058c9e3c37317fc7d4a9d6cc9aad38e5f
SHA512

fa9ce1461af11bf04c3034a82354fdbb6db937202207eaa3e8aa6ae588b0012e5318218c0ecc1617ced1cd8cc2af2033d8abf6801ff32349893810e988153612
SSDEEP

384:StwGeGOtDUZcXG4R8x06g+HPrAT8L7dCKYwaRCBN3n90qvDJ:7YZcXG4R0zvrD78CasBdX7

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4928	ucnsvc.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/800-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x000700000001e59e-4.dat	upx
behavioral2/memory/800-6-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-7-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-9-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-10-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-14-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-15-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-16-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-17-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-18-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-19-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-20-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-22-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-23-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-24-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4928-25-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ucnsvc.exe	d732dd0b4d4737902615cb087439d752.exe
File opened for modification	C:\Windows\SysWOW64\ucnsvc.exe	d732dd0b4d4737902615cb087439d752.exe
File opened for modification	C:\Windows\SysWOW64\ucnsvc.exe	ucnsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 4928	800	d732dd0b4d4737902615cb087439d752.exe	89
PID 800 wrote to memory of 4928	800	d732dd0b4d4737902615cb087439d752.exe	89
PID 800 wrote to memory of 4928	800	d732dd0b4d4737902615cb087439d752.exe	89
PID 800 wrote to memory of 2388	800	d732dd0b4d4737902615cb087439d752.exe	101
PID 800 wrote to memory of 2388	800	d732dd0b4d4737902615cb087439d752.exe	101
PID 800 wrote to memory of 2388	800	d732dd0b4d4737902615cb087439d752.exe	101

C:\Users\Admin\AppData\Local\Temp\d732dd0b4d4737902615cb087439d752.exe
"C:\Users\Admin\AppData\Local\Temp\d732dd0b4d4737902615cb087439d752.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\ucnsvc.exe
  C:\Windows\system32\ucnsvc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\.bat C:\Users\Admin\AppData\Local\Temp\d732dd0b4d4737902615cb087439d752.exe C:\Users\Admin\AppData\Local\Temp\.bat
  2⤵
  PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.bat

Filesize
105B

MD5
baa7e02670be801bbc88053906cd3cfd

SHA1
77e6ba7c88e537d4a429d158b32556b029992061

SHA256
ed9ca56eb043077229e56d79dc1f6863037607bf7eb10a368af8c0aea5680da2

SHA512
c7692ca0f30bee7cfe8e937bc9cf0e329d666e5fae844df693121f2678c224a85016eaf7a19e22ebbdf3b14e88bb1d7f1b86e944afdb2fd52cab7ad8aed2303f

Download Submit
C:\Windows\SysWOW64\ucnsvc.exe

Filesize
22KB

MD5
d732dd0b4d4737902615cb087439d752

SHA1
137b2d0e7f7cde811443241df4d12bb0c59dee56

SHA256
8901baa34991288cda9c10737d45af9058c9e3c37317fc7d4a9d6cc9aad38e5f

SHA512
fa9ce1461af11bf04c3034a82354fdbb6db937202207eaa3e8aa6ae588b0012e5318218c0ecc1617ced1cd8cc2af2033d8abf6801ff32349893810e988153612

Download Submit
memory/800-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/800-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4928-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing