4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9

General

Target

4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
Size

536KB
MD5

50ca59b1337fd05ac7e4801d1f0615b4
SHA1

12a223fdf7fdbcfde6043c29b61df08c2381b607
SHA256

4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9
SHA512

3c3b9c28b8335ad4b25174c42bd83f0fc35de76da992f679f1364be72d7199eb34ce4368227399835c488674850dfde51ebb27ff53350d9259c9715039aa354f
SSDEEP

12288:rhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:rdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4696-0-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4696-14-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4696-25-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4696-26-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4696-32-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4696-44-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4696-68-0x0000000000890000-0x0000000000992000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5065b0	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
3420	Explorer.EXE
3420	Explorer.EXE
3420	Explorer.EXE
3420	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
Token: SeTcbPrivilege	4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
Token: SeDebugPrivilege	4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
Token: SeDebugPrivilege	3420	Explorer.EXE
Token: SeTcbPrivilege	3420	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 3420	4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe	76
PID 4696 wrote to memory of 3420	4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe	76
PID 4696 wrote to memory of 3420	4696	4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe	76

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
- C:\Users\Admin\AppData\Local\Temp\4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
  "C:\Users\Admin\AppData\Local\Temp\4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a1f04d597102dcff7d4a7d15e7669f95

SHA1
0c2cb6fcc09da00eafe14ca5500b6da0b1c639a3

SHA256
3fe2dd34fffba51db94882aa52161da94cd2648057ad19b68606221b59d9c42f

SHA512
e0dca116d5b6d0d1c1899f34fc4187910daf9bc8b6583265861385e0d6d3237c1eb98eda2432d6993bf9f167425fea08f5a6c835d78508ca6412eb67ae82eb57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c58ff9ddccba70f310043ed3be885d8a

SHA1
7bce851c92eacdd087b539e94313b4ed5c2dd92f

SHA256
f411dc71a46c03518d5a74d9349712a0d369173d925a9bc2871d34f3bb2a3235

SHA512
7b08e836d3a2d1e6ef82429c8634ea86ea6dc8bd041db387c10102ecd120f138872db3cdcbc5429261ce3e17e32402e336a9fd1dc2d0bbf41b6213a13ab3dc3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
a794bf4a852f1cbffc3cb78c84ed81c8

SHA1
c04e7eddb80ab0b3c6e0fa36657ed0cc6f4ddc25

SHA256
6cd5aab293de80be79c37ddca2e51ddb5c169ea7aeca22121a9fbb6752572f9a

SHA512
a5c44993170f23fb2be440cf562e8b0f1d6436dff0ab3458cb9c1d9895e96ce9943bda864666462d51582ce88b3bdcc027af68cf35ff78147f3629a8d8279d01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
26afb70b12bbcde81d7087e8c527e7ab

SHA1
6551c38ca2ce47c88e31a707e5f2390fc589f19b

SHA256
5cdf774dec9eaa5d56d3172151f8750ea2fe241f10a6c10ab40ec8be4966ade6

SHA512
6cc5d324ba717ddf0bb68002a1d48f3bed6980a35568c3ba82faa761051300505c10921898fb5b18aa643cc4cecd6acd622423e7777f5f0129a4e8374b2c3e8d

Download Submit
memory/3420-3-0x0000000002040000-0x0000000002043000-memory.dmp

Filesize
12KB

Download
memory/3420-16-0x00000000027C0000-0x0000000002839000-memory.dmp

Filesize
484KB

Download
memory/3420-7-0x00000000027C0000-0x0000000002839000-memory.dmp

Filesize
484KB

Download
memory/3420-5-0x0000000002040000-0x0000000002043000-memory.dmp

Filesize
12KB

Download
memory/3420-4-0x00000000027C0000-0x0000000002839000-memory.dmp

Filesize
484KB

Download
memory/4696-14-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4696-0-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4696-25-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4696-26-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4696-32-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4696-44-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4696-68-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing