0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3

General

Target

0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Size

536KB
MD5

10a489b443ede90cc3748fd4cdfa5a0a
SHA1

24b02d71e7d9a970b43c2523bb7d094ea04fac89
SHA256

0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3
SHA512

e7060eaaa03fc07b26fc09f744dc5ffecdac558d527bcf8c575ed177e23bdf8eb7bec8985fe933e9e6a6342d37e3310fb1a19ca5545d61880e6e8db7d1fb1231
SSDEEP

12288:Xhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:XdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4552-0-0x0000000000F80000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/4552-14-0x0000000000F80000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/4552-21-0x0000000000F80000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/4552-26-0x0000000000F80000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/4552-28-0x0000000000F80000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/4552-31-0x0000000000F80000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/4552-44-0x0000000000F80000-0x0000000001082000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4dee90	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Token: SeTcbPrivilege	4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Token: SeDebugPrivilege	4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
Token: SeDebugPrivilege	3460	Explorer.EXE
Token: SeTcbPrivilege	3460	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 3460	4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe	44
PID 4552 wrote to memory of 3460	4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe	44
PID 4552 wrote to memory of 3460	4552	0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe	44

C:\Users\Admin\AppData\Local\Temp\0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe
"C:\Users\Admin\AppData\Local\Temp\0e460d10f54550e3c85cb7984812ee4234476c550c02eb8ffb770803c5d1b2e3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
1fafb3567a7486402df6a7dee0a648a1

SHA1
225091f3b600bbedaeca86892a0216f8f08b1d35

SHA256
d3d749abcf7ab2652b9969a92fbf2f5178f4a3f78cd15c30e45fbddb0c83d2e3

SHA512
afeabc2c9914fb6370320d3a47d72048c40c3455fda4925956eb6d84470496fc1e40d612d3c2c1e371c753601580525cb0a221387fb618d7c30b7dafe5c7e771

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
a78e2314e1268a3d65ee1de075fcdc32

SHA1
d30b3e70a713334bdb6c499355b8680c7bd1b847

SHA256
fae0676a046fd42300ee3b94de3198b281882d51791abc1012a6bc48d0bffcc2

SHA512
455a38f5b77322d2d2d71ce83bb9c2b56e5fde87b080a508c0e4a64e1c1b869c23fde3f622295e643598ebdf7915388ba45a553402baa3fcb847ebac095f16e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
03c8e580fc8417cbbdfc321b8e95de30

SHA1
99d3ea35a60796ddcd51a3692ab6a11c964217ac

SHA256
446a85e0344cfe270f3d35ef428124e5d55e89792bcfe61776f1b52bc99709dd

SHA512
1dd6ef76973c6cbe150bd8042c0fdb8b73f9d3b075531684baa45f337e2aec6821a1d76c9e8ea975f4a11cf178daae3cfd5678744806728581b851fb4c3e8910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
32a9a28a84a27792c83b897248d3f0e3

SHA1
bee211ab0a2f445cce08cb450a96474d2c5100f4

SHA256
d5e23bceb845ee329592a9f31df2a329f84c0c4d263fc1929c72bfae67e6f2d1

SHA512
c9ed642c736dbc5369daf1565fce049e9c6713be981a3433916f5d0daf4b67eaa1c20fe139b54bbbe72eef13a8fc2117b16ca05ebd5b69f185a62d85e6a74d57

Download Submit
memory/3460-3-0x0000000000700000-0x0000000000703000-memory.dmp

Filesize
12KB

Download
memory/3460-16-0x0000000002880000-0x00000000028F9000-memory.dmp

Filesize
484KB

Download
memory/3460-6-0x0000000000700000-0x0000000000703000-memory.dmp

Filesize
12KB

Download
memory/3460-7-0x0000000002880000-0x00000000028F9000-memory.dmp

Filesize
484KB

Download
memory/3460-4-0x0000000002880000-0x00000000028F9000-memory.dmp

Filesize
484KB

Download
memory/4552-14-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download
memory/4552-21-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download
memory/4552-0-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download
memory/4552-26-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download
memory/4552-28-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download
memory/4552-31-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download
memory/4552-44-0x0000000000F80000-0x0000000001082000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing