c04302bda647b86a3a35e45b4f8dff5bee493654be0cc92afc5ae9c6f7f814e5

General

Target

853dd593ac5cdf53c30c2e7574c020d0N.exe
Size

501KB
MD5

853dd593ac5cdf53c30c2e7574c020d0
SHA1

d84e753ca8b99a885beedf5e2e9461f9e2cccc7e
SHA256

c04302bda647b86a3a35e45b4f8dff5bee493654be0cc92afc5ae9c6f7f814e5
SHA512

c2f4c8db80bca6ca122ca22e07be9d6bfcfd2423308bbedd9493d5442142b46443786165a7c7127c25e757478c10adc5d1d6257dc0c30f72f6cbe8075f6b7c40
SSDEEP

12288:PNLK9FChuDDcN6QPaCcn8Is9dO9LCs+ea4aXTy:V/y0PaCcnQPs+ead

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
804	853dd593ac5cdf53c30c2e7574c020d0N.exe

Executes dropped EXE 1 IoCs

pid	Process
804	853dd593ac5cdf53c30c2e7574c020d0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000900000002346d-12.dat	upx
behavioral2/memory/804-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3308	804	WerFault.exe	84
3544	804	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	853dd593ac5cdf53c30c2e7574c020d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	853dd593ac5cdf53c30c2e7574c020d0N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3880	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1656	853dd593ac5cdf53c30c2e7574c020d0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1656	853dd593ac5cdf53c30c2e7574c020d0N.exe
804	853dd593ac5cdf53c30c2e7574c020d0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 804	1656	853dd593ac5cdf53c30c2e7574c020d0N.exe	84
PID 1656 wrote to memory of 804	1656	853dd593ac5cdf53c30c2e7574c020d0N.exe	84
PID 1656 wrote to memory of 804	1656	853dd593ac5cdf53c30c2e7574c020d0N.exe	84
PID 804 wrote to memory of 3880	804	853dd593ac5cdf53c30c2e7574c020d0N.exe	85
PID 804 wrote to memory of 3880	804	853dd593ac5cdf53c30c2e7574c020d0N.exe	85
PID 804 wrote to memory of 3880	804	853dd593ac5cdf53c30c2e7574c020d0N.exe	85
PID 804 wrote to memory of 4624	804	853dd593ac5cdf53c30c2e7574c020d0N.exe	87
PID 804 wrote to memory of 4624	804	853dd593ac5cdf53c30c2e7574c020d0N.exe	87
PID 804 wrote to memory of 4624	804	853dd593ac5cdf53c30c2e7574c020d0N.exe	87
PID 4624 wrote to memory of 1436	4624	cmd.exe	90
PID 4624 wrote to memory of 1436	4624	cmd.exe	90
PID 4624 wrote to memory of 1436	4624	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe
"C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe
  C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe" /TN I8mYOnEac625 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN I8mYOnEac625 > C:\Users\Admin\AppData\Local\Temp\bS9wM7isW.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN I8mYOnEac625
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 604
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 632
    3⤵
    - Program crash
    PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 804 -ip 804
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 804 -ip 804
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe

Filesize
501KB

MD5
2709e4367d323364e65d7c1570eda078

SHA1
34be9a290d230897bb79fae2a0418b8db562bb43

SHA256
e369986a7791b6c9b04cddd218db8c11f522fcfa096e127b5a8df73093e64b12

SHA512
f400c75d2f03e9a2e17c1e51528b1711ee65ba44b401f6c895e33292dc1f40c3a5309e23a59f4adc7b9314c389f364ada2777c6d09aea190dec539b820dba095

Download Submit
C:\Users\Admin\AppData\Local\Temp\bS9wM7isW.xml

Filesize
1KB

MD5
2a20a7fe54fb189ee3e65a3f0cbc3e3f

SHA1
c44104315828b56810f424eb41a5c82566cb1627

SHA256
fb445baddcacc72bb5fa18f8f839854f60c006043b77635025d81bf18eebe408

SHA512
e5d1dd0d3c6888eceb57eb9ea661b30551cda787e3d518a9216a46f456083f58ba669f414eb07ab310cf231848ab7697e12efb90939158a624062d8ecb29f0b2

Download Submit
memory/804-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/804-21-0x0000000025020000-0x000000002509E000-memory.dmp

Filesize
504KB

Download
memory/804-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/804-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/804-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1656-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1656-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1656-7-0x0000000024FE0000-0x000000002505E000-memory.dmp

Filesize
504KB

Download
memory/1656-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads