c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639

General

Target

c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe
Size

5.0MB
MD5

86088b7e3e63dc16cbab730fdf9ed0e9
SHA1

e0d6cde49f2174f8a8f977a0bd3d957f20d613c4
SHA256

c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639
SHA512

fb525dada0c2d967be40ac8d90ee3d9753c07c1df9cd4d0ee030b4e5b8a0043e89a8a6584df4f9ecc6d336a5643cdfe72a1c611f4ed9b3bdeb39afa55e00667b
SSDEEP

98304:C8yYSSAv+V8FSrWiFtXaswUdX+G8CJBAUZLhp:BHgUE2aCJVL

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1056-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-54-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-0-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1056-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe
1056	c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe

C:\Users\Admin\AppData\Local\Temp\c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe
"C:\Users\Admin\AppData\Local\Temp\c5fca6f14ff23eaaa95ee12d5534804c6d30a3379c3ca12d45b5f0d989b69639.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Basic.ini

Filesize
21B

MD5
d351a32ab356617f2f7b04d0ca96a78e

SHA1
6c46e90c3051ab6a7bb3c056bc122be22b6a5a9f

SHA256
6fa7c7515346defd71ff25a28db1d1822326bead4e1bfccf8c187adbf165a743

SHA512
d9966aab1097c35ddf8787d38eb59d83459fb8eae5aa7ecdf9287ab947eed05a0fd50fefc29c2eca751d92da2081f0b84ba553b0623bfd423af0de54345086fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Config.ini

Filesize
32B

MD5
70d9e4ada4a2586425e0a4467a50f6a4

SHA1
eaeaf42ce01f384685179838ba25752c4e6536f5

SHA256
22d626c65b0b21bb4edae32bf55bb121ac583c28d89d93458fe3e374d036ab9a

SHA512
83bd97663953f9521628232506bc236b289dadce39618be20c79e79ad8373773bdbb8c35d113ea314ffebb363fc7e5caff3d24dc73e0c33b965bc07a2b4f8064

Download Submit
memory/1056-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-54-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-0-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1056-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing