a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30

General

Target

a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
Size

536KB
MD5

c8a584eb8d26ed207442452d82b871c2
SHA1

58c239091cb4954c1ad067eff81a350221a9d287
SHA256

a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30
SHA512

eb5da9130d548fb72de45ddadb9039ae5c76ac0a643a74ec42ada8a48582913f7756320f01bb0b116ced230e3b156a4aa47170a3f150187f1438662d18153f33
SSDEEP

12288:zhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:zdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3372-0-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-8-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-19-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-26-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-27-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-31-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-38-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/3372-45-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\39bad8	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
3572	Explorer.EXE
3572	Explorer.EXE
3572	Explorer.EXE
3572	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
Token: SeTcbPrivilege	3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
Token: SeDebugPrivilege	3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
Token: SeDebugPrivilege	3572	Explorer.EXE
Token: SeTcbPrivilege	3572	Explorer.EXE
Token: SeShutdownPrivilege	3572	Explorer.EXE
Token: SeCreatePagefilePrivilege	3572	Explorer.EXE
Token: SeShutdownPrivilege	3572	Explorer.EXE
Token: SeCreatePagefilePrivilege	3572	Explorer.EXE
Token: SeShutdownPrivilege	3572	Explorer.EXE
Token: SeCreatePagefilePrivilege	3572	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3572	Explorer.EXE
3572	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3572	3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe	46
PID 3372 wrote to memory of 3572	3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe	46
PID 3372 wrote to memory of 3572	3372	a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe	46

C:\Users\Admin\AppData\Local\Temp\a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe
"C:\Users\Admin\AppData\Local\Temp\a58311743835e02d003d9d1f5c5084704f7f1289e8c71a8b3c2c4f86c8484b30.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3EC845F33427F1C99AF855BE8930371C

Filesize
1KB

MD5
4d050164a30b6984877e708b688cb68a

SHA1
4b08de5f0a16824b2d878f69420bf0d3041df1f0

SHA256
e93952efeaa1da5ecfce295349c6b2eb0dea9d497d73466fb97e8bab20e1d734

SHA512
a2ca6da56d10d7cb95180efbfd91692a232dcf82ced4dfee0a275c884405c9ea1506d6100ed6f4b803cdc608f88cf86ac909d32cd283330aef262b9a67519d60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
2164869438b1c582dd59087f8edcab39

SHA1
cfff723358916981534675e7866a17deffba6c85

SHA256
cd62bdce0cd913826653fb50b9e7e75f56e269c2a8d1791a71bda52e7a6bdb97

SHA512
1cde513d61fe5400640b022f9017a91eec791e6f66a8a493b42a4ccbc47d8537d4940f761fb9eadbd51f1870212f334c03c333139535858cbf7ae491cf5161bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3EC845F33427F1C99AF855BE8930371C

Filesize
210B

MD5
eba97aa7aba4c28a53689a25d60c2125

SHA1
9aa502c478f961ff9b5a7c773a9d6907e1fc8f14

SHA256
0073a5277019c85f919a7f1ef3dced2037652be9423542b1d16404d8f460344e

SHA512
4c2293cfb721f5e3630caa0defd5048014e46a1c05e2f786b275675164f03a914ed54d50caef14f39a2a4069360ef8e01b6c25a3b07e53c6bfcf6689a7f5a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
e2c101e3c9d47c8f1d14ece694c6d5a2

SHA1
55c3048760bbb7052c1da9ecdcbe5249f78ad2f7

SHA256
19c06ebdd467f1783742b45dcfe1e6b01745a8a17195e6699ce5ae7da46f61e0

SHA512
f7d6f3c292629ab1a01db7e537000d28d8cd23a26c23af80eed2ce14efd5ca62b03bd3c130da9dd81a092a669fd979ed03827257989b55bb2b0099db335bbfb8

Download Submit
memory/3372-26-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-8-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-19-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-0-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-27-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-31-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-38-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3372-45-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/3572-17-0x0000000002960000-0x00000000029D9000-memory.dmp

Filesize
484KB

Download
memory/3572-7-0x0000000002960000-0x00000000029D9000-memory.dmp

Filesize
484KB

Download
memory/3572-4-0x0000000000B40000-0x0000000000B43000-memory.dmp

Filesize
12KB

Download
memory/3572-5-0x0000000002960000-0x00000000029D9000-memory.dmp

Filesize
484KB

Download
memory/3572-3-0x0000000000B40000-0x0000000000B43000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing