038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89

General

Target

038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
Size

536KB
MD5

39bf0ab50c09a22792cecb6fe5c1b3d2
SHA1

8ddd89d0f8791f71f1904d6dac82e803059c230c
SHA256

038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89
SHA512

3ebc2631e16e804eef7a0845019226cce12704e6999837d7e20801933718cd2af482bc1ce4c84c8b00f9c5770d6880ece52b023e34a5988d4ef018ffded04015
SSDEEP

12288:Vhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:VdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3888-0-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx
behavioral2/memory/3888-8-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx
behavioral2/memory/3888-25-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx
behavioral2/memory/3888-26-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx
behavioral2/memory/3888-29-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx
behavioral2/memory/3888-43-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx
behavioral2/memory/3888-65-0x0000000000A80000-0x0000000000B82000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\429060	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
Token: SeTcbPrivilege	3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
Token: SeDebugPrivilege	3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
Token: SeDebugPrivilege	3136	Explorer.EXE
Token: SeTcbPrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3136	3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe	84
PID 3888 wrote to memory of 3136	3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe	84
PID 3888 wrote to memory of 3136	3888	038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3136
- C:\Users\Admin\AppData\Local\Temp\038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe
  "C:\Users\Admin\AppData\Local\Temp\038fdbfb7f46fed85b05571310c376a24ff3efb1ad80ba1625d9e4d636539f89.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a1f04d597102dcff7d4a7d15e7669f95

SHA1
0c2cb6fcc09da00eafe14ca5500b6da0b1c639a3

SHA256
3fe2dd34fffba51db94882aa52161da94cd2648057ad19b68606221b59d9c42f

SHA512
e0dca116d5b6d0d1c1899f34fc4187910daf9bc8b6583265861385e0d6d3237c1eb98eda2432d6993bf9f167425fea08f5a6c835d78508ca6412eb67ae82eb57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
1e3efe731ff2279126ec4e8d2feb2c59

SHA1
4a317ed2c9005b37e50fd43502da25894003ba36

SHA256
b9b4411cfa4ddd72bb752b69af2ba7eae692eb53dd88e07df937134f230c47e2

SHA512
4431f09b2ced7e12167e82cef5211b1df24639ad8f70c86a0b015c441b48bf695b8544a1d99ed9d7aa7441fa7026129bff80eebd4100628fbe25636a7167fd99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
48f82f97a62be95d81c9d2d611d42867

SHA1
7a89f8eccfffbc6350cdbb0fca203c6ff4107411

SHA256
79bd4110a8d4a95b8959d90c148d9dced77be7b21d13d59c0283a8f7081f2e33

SHA512
7b285a0c351e5ea34d5c44142a1b5cae5befb0450e0fbee6178208df7145a4029770fc6acdbfb2eb767cd4b7dc849a1349096dc448a283ab5db5d4ee418b785a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
a41a6d652f003af24fb319d8ab0f6bbd

SHA1
088ab52310206b37c7e72e3fda05456224a73038

SHA256
aa504dcb8e08e848d94af650381a51a9b614b8e7d2294a46fc42d5992d191097

SHA512
8a9ea83ca23ac22fd44350f902637662ecfd9205ef224d12304453476e578a1836832003d13d41786f4b47f9b773f6c3c34417ebff30278d7d7ab3a6863e3f91

Download Submit
memory/3136-7-0x00000000024B0000-0x0000000002529000-memory.dmp

Filesize
484KB

Download
memory/3136-6-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/3136-16-0x00000000024B0000-0x0000000002529000-memory.dmp

Filesize
484KB

Download
memory/3136-3-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/3136-4-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/3136-5-0x00000000024B0000-0x0000000002529000-memory.dmp

Filesize
484KB

Download
memory/3888-8-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download
memory/3888-0-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download
memory/3888-25-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download
memory/3888-26-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download
memory/3888-29-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download
memory/3888-43-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download
memory/3888-65-0x0000000000A80000-0x0000000000B82000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing