9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Size

536KB
MD5

93fd218bcb164326b238c5d6f95bb046
SHA1

942bbef8e5e0ec6a5ff3d2006f584334db39fead
SHA256

9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839
SHA512

89803cc5d956ee447920382a2380353b46ebd7b1dde470cf5ce893d8cb7e4d2b5f3b154a4779892e026c6bd09d12231c49bec2e1e4a7d480bd760423362ec4d3
SSDEEP

12288:Phf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:PdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000930000-0x0000000000A32000-memory.dmp	upx
behavioral1/memory/2916-140-0x0000000000930000-0x0000000000A32000-memory.dmp	upx
behavioral1/memory/2916-233-0x0000000000930000-0x0000000000A32000-memory.dmp	upx
behavioral1/memory/2916-414-0x0000000000930000-0x0000000000A32000-memory.dmp	upx
behavioral1/memory/2916-627-0x0000000000930000-0x0000000000A32000-memory.dmp	upx
behavioral1/memory/2916-701-0x0000000000930000-0x0000000000A32000-memory.dmp	upx
behavioral1/memory/2916-715-0x0000000000930000-0x0000000000A32000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\31ec48	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Token: SeTcbPrivilege	2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Token: SeDebugPrivilege	2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Token: SeDebugPrivilege	1216	Explorer.EXE
Token: SeTcbPrivilege	1216	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1216	2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe	7
PID 2916 wrote to memory of 1216	2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe	7
PID 2916 wrote to memory of 1216	2916	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe	7

C:\Users\Admin\AppData\Local\Temp\9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
"C:\Users\Admin\AppData\Local\Temp\9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34622cac241cc13115741246c4882211

SHA1
ae350625a6f58514c8bdb65902db58aa4fe5a1b7

SHA256
27e632911b7b4c533b1563a6a35715845bbd9c87b9541a9835ee0a999a4a9be6

SHA512
940c6923dab4f059b54fbf999c5f8b3def3bf3cbedaceedad20d0977dfc18d989da851ae78843798f5b4cf26541092df4a5c798a48e2453fd20878894afbf199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b864e22dcc543152e6ba4edeefcacfa7

SHA1
e9b658589fb6e3f42e15a3218b922e8f2d390253

SHA256
90809489102be2870a86625a518f1a25922c3be19d4ed41534a4bef36a56875b

SHA512
57eecc5d1e79ac9a1dac7257d125124bab9fc9b37311adb8e2546fd8efedbac940234c2a5b103d0a0c82023569e60e992bc970dff1ba2c86388e1adbbf39c2be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0933c4d8f25b14ef4c4399e3e2dbb22a

SHA1
a84c09699ca44926c8ef1ea90ee263def8bcf787

SHA256
9a8cb53a9ca14e0503ff9d09a5d8af4dfc2ab7389acd189251d74f06e926cf5d

SHA512
409848babb8b692c0786356e777f35cddb6ba0c4664233c3c5f5bbc60be5f2e79955d8b518d76ed44293b74cbec1ac56483f8152612e681a136cd684827e9baf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e1943e85cd24bfbfd4695126635fe0c

SHA1
2d6222855457201d4ed4fc1622cc39b72f64e022

SHA256
53de6f9afde48bda4ea82041b3a18d4a3eb3e94bdedf6e0aed8ee86f15e70609

SHA512
1ac604f05849d2a6e57a94aa4370c9ac728d30347b587cebc254e111ab80e2f5fe66c34b1a9b972ed82f1da40779ba4caaab2188af9988e660a677276d1a81f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a9d67efb6de8d19634269c584c6d787

SHA1
1f2d11c02247e61c1741699ed56edce19b09d5cf

SHA256
5f73e255d906ba25a6bfea32180cf14404248f0a3dafd001ff982367aaa31632

SHA512
facde950bb6c8f7ce115de290ca34209efa186f133046cfcd2c170ab17ee91d4ddf9d1fcf85edd51d60e4275735bd679bd15896934ecfc1d2102c65c67f40ff3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d84edb77a206e96bd53e845dbb71d54

SHA1
0d122c0f8c8f0aa123de5795aabdcbdf9781aca9

SHA256
eedb9151ba775f9a4537686ede0078223eb866edb1c4b051058f49a7994f6a85

SHA512
e84e40612edcd35e563db07d7e1b4e228fd081b82d5a21d30fdeedb46ed8e0e1f0e111b0dce96b7fe94f16d0f6577a5bdd28a39091a06cfb027dab8dc7e2ce20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0dd554fb79a558ab9c6be479411dfa19

SHA1
04ab989de192db0887509cd6083b6d66b4864ab5

SHA256
72b4740e77d8e6198ab927350a0fe3bbba0f29ea046ab3b0d861540b7c5ee13b

SHA512
13ed069bd9380b884b174eb2fc87f6acc0c7621f8fcfd9a747a341a894ec3223b2863f37d735b9b4da1e5f03e9f6dc4a771a5712eadfe90f26c210e32e2b6742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AA7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1216-3-0x0000000002D70000-0x0000000002D73000-memory.dmp

Filesize
12KB

Download
memory/1216-190-0x0000000004410000-0x0000000004489000-memory.dmp

Filesize
484KB

Download
memory/1216-4-0x0000000002D70000-0x0000000002D73000-memory.dmp

Filesize
12KB

Download
memory/1216-6-0x0000000004410000-0x0000000004489000-memory.dmp

Filesize
484KB

Download
memory/2916-414-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download
memory/2916-0-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download
memory/2916-233-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download
memory/2916-627-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download
memory/2916-140-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download
memory/2916-701-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download
memory/2916-715-0x0000000000930000-0x0000000000A32000-memory.dmp

Filesize
1.0MB

Download