e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e

General

Target

e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Size

3.9MB
MD5

abdcd215ed468f7282c196a8a9e473d7
SHA1

5702dc33da4bc58627bfc9e8b36fd8d82dba3dde
SHA256

e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e
SHA512

6fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367
SSDEEP

98304:rMtZlx9LV2NAhHm05RqEXIeYxscqv1d7lEL0dD7+5:rKZlz82hHmmCBs1d7GCDy

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2584 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

End_v1.2.exe

pid process

1940 End_v1.2.exe
1176
Loads dropped DLL 1 IoCs

Processes:

e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe

pid process

1968 e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe

pid	process
2584	cmd.exe

pid	process
1940	End_v1.2.exe
1176

pid	process
1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-0-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2536-8-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2536-11-0x0000000000400000-0x000000000057F000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\~3774303142575309762\End_v1.2.exe	upx
behavioral1/memory/1968-25-0x0000000003540000-0x000000000477F000-memory.dmp	upx
behavioral1/memory/1940-26-0x000000013F3F0000-0x000000014062F000-memory.dmp	upx
behavioral1/memory/1968-59-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2484-58-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2484-65-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2992-63-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2992-61-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1940-69-0x000000013F3F0000-0x000000014062F000-memory.dmp	upx
behavioral1/memory/1940-72-0x000000013F3F0000-0x000000014062F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2716 PING.EXE
2860 PING.EXE
2908 PING.EXE
1452 PING.EXE

pid	process
2716	PING.EXE
2860	PING.EXE
2908	PING.EXE
1452	PING.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exee4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exee4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exee4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe

description	pid	process
Token: SeBackupPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeRestorePrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeCreateGlobalPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeBackupPrivilege	2536	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeRestorePrivilege	2536	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	2536	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	2536	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeBackupPrivilege	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeRestorePrivilege	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeBackupPrivilege	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeRestorePrivilege	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: 33	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
Token: SeIncBasePriorityPrivilege	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

End_v1.2.exe

pid process

1940 End_v1.2.exe
1940 End_v1.2.exe

pid	process
1940	End_v1.2.exe
1940	End_v1.2.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exee4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exee4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 2892	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 1968 wrote to memory of 2892	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 1968 wrote to memory of 2892	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 1968 wrote to memory of 2892	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 1968 wrote to memory of 2536	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2536	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2536	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2536	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 1940	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	End_v1.2.exe
PID 1968 wrote to memory of 1940	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	End_v1.2.exe
PID 1968 wrote to memory of 1940	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	End_v1.2.exe
PID 1968 wrote to memory of 1940	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	End_v1.2.exe
PID 1968 wrote to memory of 2484	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2484	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2484	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2484	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2992	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2992	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2992	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 1968 wrote to memory of 2992	1968	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
PID 2992 wrote to memory of 1596	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2992 wrote to memory of 1596	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2992 wrote to memory of 1596	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2992 wrote to memory of 1596	2992	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2484 wrote to memory of 2584	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2484 wrote to memory of 2584	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2484 wrote to memory of 2584	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 2484 wrote to memory of 2584	2484	e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe	cmd.exe
PID 1596 wrote to memory of 2716	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2716	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2716	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2860	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2860	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2860	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2908	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2908	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2908	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 1452	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 1452	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 1452	1596	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
"C:\Users\Admin\AppData\Local\Temp\e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~6302117329724813266.tmp",,C:\Users\Admin\AppData\Local\Temp\e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\~3774303142575309762\End_v1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\~3774303142575309762\End_v1.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~5949491246078699733.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~5949491246078699733.cmd"
    3⤵
    - Deletes itself
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~7512230833003002202.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~7512230833003002202.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2716
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2860
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2908
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~5949491246078699733.cmd

Filesize
521B

MD5
060f6fc785808818d3b549dda97420fa

SHA1
77e3a135bf4b0081a393410f47bc3e0944895d1b

SHA256
22576323f4220d1c748c91ce6064ac19314d84724953fba1fbcf5cf392214801

SHA512
d8ade64997b27b65c0526d435e88383cb9cffece7d889b2e1f1b5289312d76a069924320ee5d33193a7aa40eb67d009d78b532e168662b7d7ee4b3c7716dbcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6302117329724813266.tmp

Filesize
3.1MB

MD5
80ab2f749a3753866a20b5b87375fe43

SHA1
bac069abf966cf486687845c74eed0cf7aee036e

SHA256
8f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe

SHA512
2c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7512230833003002202.cmd

Filesize
373B

MD5
06d5ea768993408bc9b0ac33df1966ea

SHA1
35ea11384de13e690440ee4bcfa20d11f33d2d7f

SHA256
c9860c839849aeea4b060aa5c081c4e49172980342f375650fd438828217134b

SHA512
5de3d7d77fa8421b814888e259a745c2807ce53178b31eb4725746e93c6fd6f0cc4e182a5c2ead8f865697b25ac07b7eea47aa3018cdc728ccda3464b5a94e9c

Download Submit
\Users\Admin\AppData\Local\Temp\~3774303142575309762\End_v1.2.exe

Filesize
3.5MB

MD5
939261459f9c29343dd1d6bd51f3709e

SHA1
b1110b91465ebc137402a3c30842b0e87e870365

SHA256
b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028

SHA512
697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db

Download Submit
memory/1940-72-0x000000013F3F0000-0x000000014062F000-memory.dmp

Filesize
18.2MB

Download
memory/1940-26-0x000000013F3F0000-0x000000014062F000-memory.dmp

Filesize
18.2MB

Download
memory/1940-69-0x000000013F3F0000-0x000000014062F000-memory.dmp

Filesize
18.2MB

Download
memory/1968-60-0x0000000002F70000-0x00000000030EF000-memory.dmp

Filesize
1.5MB

Download
memory/1968-25-0x0000000003540000-0x000000000477F000-memory.dmp

Filesize
18.2MB

Download
memory/1968-0-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1968-7-0x0000000002BD0000-0x0000000002D4F000-memory.dmp

Filesize
1.5MB

Download
memory/1968-59-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1968-57-0x00000000030B0000-0x000000000322F000-memory.dmp

Filesize
1.5MB

Download
memory/2484-58-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2484-65-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2536-11-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2536-8-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2992-63-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2992-61-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads