c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2

General

Target

c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
Size

536KB
MD5

ea23b75d92c9353daa434a4561173ad0
SHA1

74448e03273b8bd47e08c90c9fef4ff605d773ea
SHA256

c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2
SHA512

53e2ae7be761c77dae4899ec60eb0fd617d64db2736b3bac7ff1347b8d64fa69c00d251746b9dc0131d67014eb9efeea89a1525617e89885ef5d886a8fb87f83
SSDEEP

12288:ahf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:adQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2720-0-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-8-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-25-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-26-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-27-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-32-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-42-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx
behavioral2/memory/2720-66-0x00000000000D0000-0x00000000001D2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2e9140	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
Token: SeTcbPrivilege	2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
Token: SeDebugPrivilege	2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
Token: SeDebugPrivilege	3360	Explorer.EXE
Token: SeTcbPrivilege	3360	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3360	Explorer.EXE
3360	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3360	2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe	47
PID 2720 wrote to memory of 3360	2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe	47
PID 2720 wrote to memory of 3360	2720	c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3360
- C:\Users\Admin\AppData\Local\Temp\c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe
  "C:\Users\Admin\AppData\Local\Temp\c01008d3b4d147a0dd86b8f46c1890a0f05e0509cf171280285810519ac14aa2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
a0b82a6a0cf7d6824295d5e9ce0b1376

SHA1
c7c7f602ccf6a05f01a925476da2d447f9e331a6

SHA256
3ec9faa42a902f13a53d6aeb36e56d35c2f82eb28f7b5e8eb30e172a84d5c432

SHA512
b7b19e1b2020c7f5e6512cd5f292d06f9372cf6b53bbaaa6fde2cabda8e1cb7cfd0fbda5ba1e7a619912b9ec7c30d6a67e0986745d4145005d54d7af65b94a3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AAD646CB44373074ADE741C38400E7E1

Filesize
687B

MD5
4efd4f6d9c6d2fb581a0c0e0387fdce7

SHA1
7364d619fa43a3bcd6a2c379babe9169cded47ef

SHA256
20558404e4f5f7db54804fadbf4cec1b84a379ceaf42cee92014528008a3a693

SHA512
ad1c1d947d1958b9d3179cb3884c392da52470b55ab923e5e4a1577ced36b571370ab4a5a65fff39f4d614614107dc4f40fec6f86383478d5fbe751b3dbdf635

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
17fb97ca1109d1df10784830d50ee6bc

SHA1
5099f35361b44cb46de8fc4cda664bbbb2aaa905

SHA256
eae7c5c05b061255e154a9fc6b113677dd077986418f48150de8c8f340770a8f

SHA512
1d6094e50edc7b857828f23b5dfa1b797f6c825e9fdc60305d9dc1614a4a9c4089f5624000f978f29f954bff93941218b3d6390029b3b9daf5e3840fae8853c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AAD646CB44373074ADE741C38400E7E1

Filesize
192B

MD5
d91fef9f96763e39954592de1f002b54

SHA1
475023a4f57e53f51a51c85cc5ce6067c2ce8509

SHA256
bfddd21700b0a741e82bbaeb1d34a31eeb1cae88eee939a0a07a8dc1ce22bfdf

SHA512
0cb6ae2580f84eb32e9f1758645cc6fbbf78925b45fea48777e505445870568baf0424f1ed0fca75d5235f87ea1af08ba8d6d7afd0ffedd05f9ac4408627aec5

Download Submit
memory/2720-25-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-0-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-8-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-66-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-42-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-32-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-27-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/2720-26-0x00000000000D0000-0x00000000001D2000-memory.dmp

Filesize
1.0MB

Download
memory/3360-6-0x0000000002CE0000-0x0000000002CE3000-memory.dmp

Filesize
12KB

Download
memory/3360-3-0x0000000002CE0000-0x0000000002CE3000-memory.dmp

Filesize
12KB

Download
memory/3360-5-0x0000000003740000-0x00000000037B9000-memory.dmp

Filesize
484KB

Download
memory/3360-7-0x0000000003740000-0x00000000037B9000-memory.dmp

Filesize
484KB

Download
memory/3360-4-0x0000000002CE0000-0x0000000002CE3000-memory.dmp

Filesize
12KB

Download
memory/3360-16-0x0000000003740000-0x00000000037B9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing