da8dcb598c0f52af571ccee448f54a3b4dcf3bd13df39db80751ef02dc7f4fd8

General

Target

5a94bd63f57bec97c51003f347ef5d70N.exe
Size

1003KB
MD5

5a94bd63f57bec97c51003f347ef5d70
SHA1

c0ad28860a7ad21587d6237c221c07eb9fb63536
SHA256

da8dcb598c0f52af571ccee448f54a3b4dcf3bd13df39db80751ef02dc7f4fd8
SHA512

0e1219e67fd645bdaac5fe9b7e7d79455478b27f5852416d634b2277f30766818fde11f61f69b7816d240f7595aeb81e7eeeb1e0a2a5765e970cebe233023ef5
SSDEEP

24576:Af9Nn/0eyTwFf3HJEuMlSVj21RaBkoXlq:AlV/0fwFf3HJEuMlSVj21RaBkoXl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2856	5a94bd63f57bec97c51003f347ef5d70N.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	5a94bd63f57bec97c51003f347ef5d70N.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	5a94bd63f57bec97c51003f347ef5d70N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-9-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000e00000001224d-11.dat	upx
behavioral1/memory/2856-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a94bd63f57bec97c51003f347ef5d70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a94bd63f57bec97c51003f347ef5d70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	5a94bd63f57bec97c51003f347ef5d70N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	5a94bd63f57bec97c51003f347ef5d70N.exe
2856	5a94bd63f57bec97c51003f347ef5d70N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2856	2488	5a94bd63f57bec97c51003f347ef5d70N.exe	31
PID 2488 wrote to memory of 2856	2488	5a94bd63f57bec97c51003f347ef5d70N.exe	31
PID 2488 wrote to memory of 2856	2488	5a94bd63f57bec97c51003f347ef5d70N.exe	31
PID 2488 wrote to memory of 2856	2488	5a94bd63f57bec97c51003f347ef5d70N.exe	31
PID 2856 wrote to memory of 2640	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	32
PID 2856 wrote to memory of 2640	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	32
PID 2856 wrote to memory of 2640	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	32
PID 2856 wrote to memory of 2640	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	32
PID 2856 wrote to memory of 2960	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	34
PID 2856 wrote to memory of 2960	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	34
PID 2856 wrote to memory of 2960	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	34
PID 2856 wrote to memory of 2960	2856	5a94bd63f57bec97c51003f347ef5d70N.exe	34
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2744	2960	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe
"C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe
  C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe" /TN 4vF3ZT9f5be3 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 4vF3ZT9f5be3 > C:\Users\Admin\AppData\Local\Temp\sY4U8hP.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 4vF3ZT9f5be3
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sY4U8hP.xml

Filesize
1KB

MD5
6329188f799f144e92c5f44395872eaa

SHA1
aa9c98e45bdd0fb29560094128867afdc53d4c07

SHA256
d31e815b4920dbe816c735da94dbd8bbd853d23c43be35c72572f665de00cbdd

SHA512
d3637abbc230ce972264283edcc8bedaaafbf6f3ae4a6ba54ba0ffa220b06604da9b010bd61083988cac88ea6a94ddcd725d0f2bd47fc2e76fe5823b742768f0

Download Submit
\Users\Admin\AppData\Local\Temp\5a94bd63f57bec97c51003f347ef5d70N.exe

Filesize
1003KB

MD5
d1f2034f2ddfcaf3da1f1cd5c76d36dc

SHA1
ee2a8e5150f149e6bac2e6e5930801e607c9b79c

SHA256
406d98a19d6f94a7c276ab6aff14ff812798d997d78b8678e51f409871c56aaf

SHA512
8c4e2460698bb95d66d61947284a8e5b270708f023b7b63a80912c1194fad47fc607f87f941e0c0aa94bb268d07dc2b64484e4487b9da4a7bf8082c0a0d177ff

Download Submit
memory/2488-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-10-0x0000000022DD0000-0x0000000022E4E000-memory.dmp

Filesize
504KB

Download
memory/2488-9-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2488-16-0x0000000022F60000-0x00000000231BC000-memory.dmp

Filesize
2.4MB

Download
memory/2488-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2856-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2856-31-0x0000000000310000-0x000000000037B000-memory.dmp

Filesize
428KB

Download
memory/2856-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2856-25-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download
memory/2856-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads