186b4267f0dc7c08b9bd74ab6db343469be2287eaab7f04f3117868e06252a9d

General

Target

b0fed858de99d310f42e826063a8cbf0N.exe
Size

3.0MB
MD5

b0fed858de99d310f42e826063a8cbf0
SHA1

9a85ffa2eee2d5e967ad1a35062a60cccf0722de
SHA256

186b4267f0dc7c08b9bd74ab6db343469be2287eaab7f04f3117868e06252a9d
SHA512

fe9a970b4a43fbea7e9961af852e9cbb2e7fe10a724c6962fd9df17d5bfd678728d76b0254bdd4c350ab53bdda19e8cedf7b7ae9640e80eafcfb147c6e1f5a00
SSDEEP

49152:pJ0sYimcakLWqhC2TH5t8NlqMcakLSOXmqOgfBmlxqCicakLWqhC2TH5t8NlqMcl:pJ1YimcakKaC2TZt8NlPcakGB1gZkkCD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	b0fed858de99d310f42e826063a8cbf0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	b0fed858de99d310f42e826063a8cbf0N.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	b0fed858de99d310f42e826063a8cbf0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000d000000012251-11.dat	upx
behavioral1/memory/2320-16-0x0000000023420000-0x000000002367C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0fed858de99d310f42e826063a8cbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0fed858de99d310f42e826063a8cbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2312	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2320	b0fed858de99d310f42e826063a8cbf0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2320	b0fed858de99d310f42e826063a8cbf0N.exe
2772	b0fed858de99d310f42e826063a8cbf0N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2772	2320	b0fed858de99d310f42e826063a8cbf0N.exe	31
PID 2320 wrote to memory of 2772	2320	b0fed858de99d310f42e826063a8cbf0N.exe	31
PID 2320 wrote to memory of 2772	2320	b0fed858de99d310f42e826063a8cbf0N.exe	31
PID 2320 wrote to memory of 2772	2320	b0fed858de99d310f42e826063a8cbf0N.exe	31
PID 2772 wrote to memory of 2312	2772	b0fed858de99d310f42e826063a8cbf0N.exe	32
PID 2772 wrote to memory of 2312	2772	b0fed858de99d310f42e826063a8cbf0N.exe	32
PID 2772 wrote to memory of 2312	2772	b0fed858de99d310f42e826063a8cbf0N.exe	32
PID 2772 wrote to memory of 2312	2772	b0fed858de99d310f42e826063a8cbf0N.exe	32
PID 2772 wrote to memory of 2672	2772	b0fed858de99d310f42e826063a8cbf0N.exe	34
PID 2772 wrote to memory of 2672	2772	b0fed858de99d310f42e826063a8cbf0N.exe	34
PID 2772 wrote to memory of 2672	2772	b0fed858de99d310f42e826063a8cbf0N.exe	34
PID 2772 wrote to memory of 2672	2772	b0fed858de99d310f42e826063a8cbf0N.exe	34
PID 2672 wrote to memory of 2584	2672	cmd.exe	36
PID 2672 wrote to memory of 2584	2672	cmd.exe	36
PID 2672 wrote to memory of 2584	2672	cmd.exe	36
PID 2672 wrote to memory of 2584	2672	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe
"C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe
  C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe" /TN YSUR6GyG9dc2 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN YSUR6GyG9dc2 > C:\Users\Admin\AppData\Local\Temp\elBtZgUrj.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN YSUR6GyG9dc2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\elBtZgUrj.xml

Filesize
1KB

MD5
8c67359978f1b0a204725cdb6d5b52b2

SHA1
26d2769281eac73b14c23aaec5def7c742a44883

SHA256
e59cfb1e5d662df614ce6d24659ac59b1f9e236911b66f79c0af958b76e7178b

SHA512
15d062b1cbec77009e9b1eb3712a3ac59b1e91b52bd482216c4dbbf9cb924b37832f2ad4ddbde58b2b73db63898ff4f576215f84294d8931210e23c52368b1b3

Download Submit
\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe

Filesize
3.0MB

MD5
c3c39c4e0e2043e6f99bc4b61a048e53

SHA1
5f46e843315b96d4bf02650f263001a707784cf7

SHA256
efc20a490335e932d3e53fbacdb8659d6512a4151c99d7ee053ed36b22a11b03

SHA512
8ed034b69eaa7eeaf3b6d352d64927cc479058b874ff85bb9c51e2841b6af2117d2ed9c67a036cac96d92da28b2a47dc4ddd2967b27b8cb407a6c50b9ffdc259

Download Submit
memory/2320-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2320-7-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2320-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2320-16-0x0000000023420000-0x000000002367C000-memory.dmp

Filesize
2.4MB

Download
memory/2320-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2320-51-0x0000000023420000-0x000000002367C000-memory.dmp

Filesize
2.4MB

Download
memory/2772-24-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/2772-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2772-30-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2772-52-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads