4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9

General

Target

4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
Size

536KB
MD5

1d0b057a37f962f6553a514868866933
SHA1

35e7c89580895b645750cee8d9d1bcd092db44ce
SHA256

4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9
SHA512

daea2463051029f20c85fa16b5d240155ab78789d62cd8e51a18adb2dc91494bd040617b204d538da8452fc945f9dafaba8c0f2b3b2646dffb04badee74dd84d
SSDEEP

12288:7hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:7dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3000-0-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral2/memory/3000-14-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral2/memory/3000-25-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral2/memory/3000-26-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral2/memory/3000-29-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral2/memory/3000-44-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral2/memory/3000-68-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\335c70	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
Token: SeTcbPrivilege	3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
Token: SeDebugPrivilege	3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
Token: SeDebugPrivilege	3492	Explorer.EXE
Token: SeTcbPrivilege	3492	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3492	3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe	53
PID 3000 wrote to memory of 3492	3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe	53
PID 3000 wrote to memory of 3492	3000	4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe	53

C:\Users\Admin\AppData\Local\Temp\4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe
"C:\Users\Admin\AppData\Local\Temp\4a8471d323d607738e84f976d2a2c8178fdc6700a14e03407048d129ce04dae9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a1f04d597102dcff7d4a7d15e7669f95

SHA1
0c2cb6fcc09da00eafe14ca5500b6da0b1c639a3

SHA256
3fe2dd34fffba51db94882aa52161da94cd2648057ad19b68606221b59d9c42f

SHA512
e0dca116d5b6d0d1c1899f34fc4187910daf9bc8b6583265861385e0d6d3237c1eb98eda2432d6993bf9f167425fea08f5a6c835d78508ca6412eb67ae82eb57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c58ff9ddccba70f310043ed3be885d8a

SHA1
7bce851c92eacdd087b539e94313b4ed5c2dd92f

SHA256
f411dc71a46c03518d5a74d9349712a0d369173d925a9bc2871d34f3bb2a3235

SHA512
7b08e836d3a2d1e6ef82429c8634ea86ea6dc8bd041db387c10102ecd120f138872db3cdcbc5429261ce3e17e32402e336a9fd1dc2d0bbf41b6213a13ab3dc3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
07810425d0759ffd49b87867c857babf

SHA1
555d788a09fb1fc80a45e3b6d4d2995df9d59685

SHA256
b1130d8084d2bc57b612fce42896ec4f1805d8ad0da44fb55fc101c21e401318

SHA512
e12cc65d7edf49eb7e1177827ec9c060b0cdd8dc97f1d8f0f40ce6a25b3adda373ecd218c4a0130bba2893609a7ee562b0ab8649ef6d2d8cb126d59f2936babf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
b56674f36ac647d5abb15cbb1d12ef28

SHA1
a1eeaa73da415255f770de6bc2538eaac6c0d805

SHA256
a35c44a047532f265810f206a88629ab31b7a8180ab61605c0347c520f5ec7a6

SHA512
d0bd900ea52fc3c082fb19aa1831fe56a1b0dc795f1e5034c2a422039b05fbf823f0fabb1e0f42dfdb5c425540464244c05e12f8c88e34fb61ff225de2d54a6b

Download Submit
memory/3000-26-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3000-14-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3000-25-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3000-0-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3000-29-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3000-44-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3000-68-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/3492-17-0x0000000002810000-0x0000000002889000-memory.dmp

Filesize
484KB

Download
memory/3492-7-0x0000000002810000-0x0000000002889000-memory.dmp

Filesize
484KB

Download
memory/3492-6-0x00000000008A0000-0x00000000008A3000-memory.dmp

Filesize
12KB

Download
memory/3492-4-0x0000000002810000-0x0000000002889000-memory.dmp

Filesize
484KB

Download
memory/3492-3-0x00000000008A0000-0x00000000008A3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing