2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8

General

Target

2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
Size

536KB
MD5

eeab8d7ff07504bd709f79d6253d14e3
SHA1

add618f29f757931298bcb7072965e1f7cecaecd
SHA256

2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8
SHA512

065117205a1d0d6764f92336cf6b8ba58c27c1e68f451f1359884ba74f475f5d8ca15d4a2fbefa9d7cc0a405471c6c7051b886ab0ad4953b47260a317f6081e7
SSDEEP

12288:Uhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:UdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1936-0-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-3-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-15-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-26-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-27-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-28-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-29-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-34-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral2/memory/1936-46-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\212520	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
3332	Explorer.EXE
3332	Explorer.EXE
3332	Explorer.EXE
3332	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
Token: SeTcbPrivilege	1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
Token: SeDebugPrivilege	1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
Token: SeDebugPrivilege	3332	Explorer.EXE
Token: SeTcbPrivilege	3332	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3332	1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe	54
PID 1936 wrote to memory of 3332	1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe	54
PID 1936 wrote to memory of 3332	1936	2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332
- C:\Users\Admin\AppData\Local\Temp\2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe
  "C:\Users\Admin\AppData\Local\Temp\2034388a79107b00a9f8ef054fa37f465e830cd1600e510ef846a2ebd85609b8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
30f144c223cde8549f74c644def70c6f

SHA1
c3b761b885c364f4b79d036fb40818374ba1f6f9

SHA256
62ba74cd7ddf61d4742b50025acb9bc82acdc853277ed63ad5ea32e3f7dc9d41

SHA512
b0803125f22f9f69fc15cf8ec6b26af91bc299d600727f35ce2f47de13e522ffd5b64de299b78a84b8df8b3ea8da9c0d0d30a0f26ed0789196b74f7bd382ad59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
3897f298297691e9485bb719cdb50538

SHA1
58727852b4e7f90e19c51701ba863d13fe093bd0

SHA256
21fcd11ddd105d2aaf0fc5ae1a8a1d52194be00b3dba2a3b3e5cf7c6330e0c85

SHA512
dcec4b98daecea2980fbeb6b10a11aeb434ed58b70b1699d5008cce9013a8ae08dce0d625aa89cebac637653e677c4157ba4411a744c5b93b9859f7cfeba4d66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
0b14df5726e444172f36627e1d274ac6

SHA1
519ea866c6eb3bd3512124b373ae9a8ed5dde21b

SHA256
242c61043567f914b21addb590eefc2150dbad4d00f2cde4d56ecfa8b81b7a6e

SHA512
fb04e71ba1701073d70050bbcc4f4f9986e8a0fe69fd6465282d041aea4fbc6cc8e597f7b970a0b464466edd552db40b9442d5450aea66fc4f81501f4565799f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
ff46d3097ed3ff26788ed1f6434dba3b

SHA1
ea25c4f993221a3e0158324d94ab41fe236aaf32

SHA256
a00ccac0344c7e91a6ac2cc0618ae4e9a4bfb6c0584de2bab80b13e2f19bcd12

SHA512
164e1745c10fef689ae8c7771c682ec4394839f91ff3908c50f3e227e08054ad355473359bbf36a16c1bc47868f1e4da8bae9fbd94b88bd95d67d943d325f172

Download Submit
memory/1936-34-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-29-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-28-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-15-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-27-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-0-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-26-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-46-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/1936-3-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/3332-6-0x0000000003640000-0x00000000036B9000-memory.dmp

Filesize
484KB

Download
memory/3332-17-0x0000000003640000-0x00000000036B9000-memory.dmp

Filesize
484KB

Download
memory/3332-7-0x00000000014F0000-0x00000000014F3000-memory.dmp

Filesize
12KB

Download
memory/3332-8-0x0000000003640000-0x00000000036B9000-memory.dmp

Filesize
484KB

Download
memory/3332-5-0x00000000014F0000-0x00000000014F3000-memory.dmp

Filesize
12KB

Download
memory/3332-4-0x00000000014F0000-0x00000000014F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing