9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839

General

Target

9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Size

536KB
MD5

93fd218bcb164326b238c5d6f95bb046
SHA1

942bbef8e5e0ec6a5ff3d2006f584334db39fead
SHA256

9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839
SHA512

89803cc5d956ee447920382a2380353b46ebd7b1dde470cf5ce893d8cb7e4d2b5f3b154a4779892e026c6bd09d12231c49bec2e1e4a7d480bd760423362ec4d3
SSDEEP

12288:Phf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:PdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3204-0-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/3204-15-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/3204-26-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/3204-27-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/3204-31-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/3204-44-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/3204-67-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\36da88	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Token: SeTcbPrivilege	3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Token: SeDebugPrivilege	3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
Token: SeDebugPrivilege	2640	Explorer.EXE
Token: SeTcbPrivilege	2640	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2640	3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe	52
PID 3204 wrote to memory of 2640	3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe	52
PID 3204 wrote to memory of 2640	3204	9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe	52

C:\Users\Admin\AppData\Local\Temp\9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe
"C:\Users\Admin\AppData\Local\Temp\9452864e98d4a8df8c26aed13a8b2649f0ca701cd794d9926d51b8296c195839.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a1f04d597102dcff7d4a7d15e7669f95

SHA1
0c2cb6fcc09da00eafe14ca5500b6da0b1c639a3

SHA256
3fe2dd34fffba51db94882aa52161da94cd2648057ad19b68606221b59d9c42f

SHA512
e0dca116d5b6d0d1c1899f34fc4187910daf9bc8b6583265861385e0d6d3237c1eb98eda2432d6993bf9f167425fea08f5a6c835d78508ca6412eb67ae82eb57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c58ff9ddccba70f310043ed3be885d8a

SHA1
7bce851c92eacdd087b539e94313b4ed5c2dd92f

SHA256
f411dc71a46c03518d5a74d9349712a0d369173d925a9bc2871d34f3bb2a3235

SHA512
7b08e836d3a2d1e6ef82429c8634ea86ea6dc8bd041db387c10102ecd120f138872db3cdcbc5429261ce3e17e32402e336a9fd1dc2d0bbf41b6213a13ab3dc3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
ede63d3c97b922e1ddb99eb6f70354a0

SHA1
95d56b4c8800b9a29c693b70e0b800c8dec93e4b

SHA256
06332c6e553b57f17a1f9211b0cb29353ee035ec65f877453f4cb0daed2a8c48

SHA512
06492f83281ff1f205597f648ac8b7e7930d9e3a44febed7cfc906364bc93b0d34bba0fe0c5157d63603c84fe336a088085a0bba846d35ddf34466ba04b02eb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
ebde98ea5405dddb88bd913b536a2d5b

SHA1
bfea654c8e6a4163cebf37b26fdda7f279230dd5

SHA256
9361faf623aad56044325e658f947d12dd6369f3911913cb56d787cb4ee8a477

SHA512
857d674d0954ce23fc9a6595437e6a480640ef9b52b3afd4ef767b0f5c34f852bc738c6762868fe79d94a8b49490089f297f4347db09137f1c4f076f4dcdf068

Download Submit
memory/2640-3-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/2640-17-0x00000000033E0000-0x0000000003459000-memory.dmp

Filesize
484KB

Download
memory/2640-4-0x00000000033E0000-0x0000000003459000-memory.dmp

Filesize
484KB

Download
memory/2640-5-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/2640-6-0x00000000033E0000-0x0000000003459000-memory.dmp

Filesize
484KB

Download
memory/3204-15-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-0-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-26-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-27-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-31-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-44-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-67-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing