5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1

General

Target

5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
Size

536KB
MD5

d2385b1d7d82d9625a64253cfc313007
SHA1

8cb9873d8abca695ca16f0d10260d57d99fcd51c
SHA256

5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1
SHA512

b26e9a0097fb924684d6df3a61213ba5dae3e8af98d352ea070b256ccf6f56b83045002aaad1b28c1415b88ce15a5381c1e01d6a95e3ec061f32b94afd5e874f
SSDEEP

12288:Ghf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:GdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3124-0-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/3124-8-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/3124-19-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/3124-27-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/3124-33-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/3124-45-0x0000000000940000-0x0000000000A42000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\357be8	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
Token: SeTcbPrivilege	3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
Token: SeDebugPrivilege	3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
Token: SeDebugPrivilege	3540	Explorer.EXE
Token: SeTcbPrivilege	3540	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3540	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3540	3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe	53
PID 3124 wrote to memory of 3540	3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe	53
PID 3124 wrote to memory of 3540	3124	5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3540
- C:\Users\Admin\AppData\Local\Temp\5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe
  "C:\Users\Admin\AppData\Local\Temp\5d61d6d92eaf7ff1950a9e2917b1447b219ee59e72ec2dfd954a9aadfed347c1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
2164869438b1c582dd59087f8edcab39

SHA1
cfff723358916981534675e7866a17deffba6c85

SHA256
cd62bdce0cd913826653fb50b9e7e75f56e269c2a8d1791a71bda52e7a6bdb97

SHA512
1cde513d61fe5400640b022f9017a91eec791e6f66a8a493b42a4ccbc47d8537d4940f761fb9eadbd51f1870212f334c03c333139535858cbf7ae491cf5161bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
1e3efe731ff2279126ec4e8d2feb2c59

SHA1
4a317ed2c9005b37e50fd43502da25894003ba36

SHA256
b9b4411cfa4ddd72bb752b69af2ba7eae692eb53dd88e07df937134f230c47e2

SHA512
4431f09b2ced7e12167e82cef5211b1df24639ad8f70c86a0b015c441b48bf695b8544a1d99ed9d7aa7441fa7026129bff80eebd4100628fbe25636a7167fd99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
18777e93e00fddad1ea8d925d4e24d74

SHA1
b73399618c72dcf6ecd4ace1b6dacafb1607616e

SHA256
0073691e25958eef32adb1de7d8fc49bfba7853d18d082e0d7d97f974fdf9f15

SHA512
eef5764f27537d486fd23c0ec5d47c3d27886221050b903bf4a6954034e06c73042bbdfcbe6778e199ec6105c72c73551de26272f2caace9ee004102f9e95d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
4b30827d7590810e1f90ece5b3884b8a

SHA1
6dc35677517d7d3bd2b56565a5145913af9668f3

SHA256
1fc150e6ee5352edde2ed0e1a2c181a83c1695ebf4360b0051ce457b1eaca2b9

SHA512
55ad342e04f3778c535c759354ec5e06bfcd5cc2ea9f18433cad5adb472f804582bb7b49e950996db3dadee0fd82e5ea737cfb6ba42ffa76b0c1fa694d40520f

Download Submit
memory/3124-19-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3124-8-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3124-0-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3124-27-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3124-33-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3124-45-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3540-6-0x0000000008490000-0x0000000008509000-memory.dmp

Filesize
484KB

Download
memory/3540-16-0x0000000008490000-0x0000000008509000-memory.dmp

Filesize
484KB

Download
memory/3540-7-0x0000000007570000-0x0000000007573000-memory.dmp

Filesize
12KB

Download
memory/3540-5-0x0000000008490000-0x0000000008509000-memory.dmp

Filesize
484KB

Download
memory/3540-4-0x0000000007570000-0x0000000007573000-memory.dmp

Filesize
12KB

Download
memory/3540-3-0x0000000007570000-0x0000000007573000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing