befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd

General

Target

befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
Size

536KB
MD5

5c96dd972896d85fc878f2a4f1e8803c
SHA1

486cc7b64bedd4e11dfd60dfbd40319dcaba02e1
SHA256

befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd
SHA512

88fef571450f2309bfb1c1604df41204cce0ea56e0ff056aef1a14081ed82146ede4b77f2c6445c859767e17212b3342292c99fb7a1989e2ab447c22ccbe961d
SSDEEP

12288:Zhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:ZdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1320-0-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral1/memory/1320-42-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral1/memory/1320-264-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral1/memory/1320-468-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral1/memory/1320-734-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral1/memory/1320-748-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\169950	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
Token: SeTcbPrivilege	1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
Token: SeDebugPrivilege	1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
Token: SeDebugPrivilege	1292	Explorer.EXE
Token: SeTcbPrivilege	1292	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1292	1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe	21
PID 1320 wrote to memory of 1292	1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe	21
PID 1320 wrote to memory of 1292	1320	befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292
- C:\Users\Admin\AppData\Local\Temp\befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe
  "C:\Users\Admin\AppData\Local\Temp\befdce72c42857c9e83826a471c62bb4b93b47031372e8275c994df44f4855fd.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
216e26a9f51140365a84fe9151c084d2

SHA1
848dc6400b70e67f7a817a3cf37772d432ef5eac

SHA256
1731dd5d4caebe2953be234ea07fc1135a4784a5c9b870bac4a404cd56ac72e1

SHA512
0f61b98bbef428bd452f2a89dfe8e2718e8ef09f365642d922d7df3515066dccc2f3220ea22808b083a9830f6b450cedf71957e5cc7a7f26ca43ab5b3ecbe687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adbbfe5772381e1e722e446d9987f6bd

SHA1
c7e6794e68819fc96ae91b8fde89d34ea79cd9b1

SHA256
0ebd60525452744c9cdb7ed549a204f98c966067cb483572b305a85ac2fc3088

SHA512
0f89a6cc5342ca098e86c422fba5f35d80c84ad73fba9401e98e42e8608c9eb67c78232ada76cef3d9a2aea268e1758f6bbac14c8871f672fa926ca2c2fdcc17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6ce34005d76be695726c96bf0a0bed0

SHA1
2e54b0d71ce1a06ece3596ca7b01699e1b334a5a

SHA256
4535da1533a378130965dcea2372ee6a4753786138e570f7ab85ef73dbdac09f

SHA512
47877490ec3edaa17816717adfad8ab720bddbf2351014551ee608da9ed5449b3c61e5f997aa66a82e76e9082d3cbbba6751efd8b5ba8022d33bf781e6970c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
655a0c369b8bcb98c130746801d5298f

SHA1
cb2c0b9bc6ae85ed107c77b3069f4d634367549c

SHA256
493ce74359c2966240f80c91d0fb70b87d3bd29b73b56037931516d1fb65063f

SHA512
82d4d531e610c1d9fd29dc65b2adfd681033f39b21288f061779f68114ed8458b3125cdc92721f5574080be05042e63d50b5c6decb2ab8e7aaec3028a62be42b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdcc321fe6debf09d1049624c59770cc

SHA1
3bbdbf32f6f8fecd36a869866f94f58ab0f2e808

SHA256
c936cd303caf0150bccf6aaab34bdde6d4aee461f35c3418fc19b9a029b73722

SHA512
6bcbfc1286f43c198067baeac7520f916ce2570109d0d0da535ebd39e01f72ba50bfa67df3c4513671d3b03a3ab84561b4a733fa96528c2b6cb620e54f6998b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b72206a718d0810aeb5ecf87763ec72a

SHA1
975ac6e2ef02f9547e1920551d9f147d53deaacd

SHA256
74375f004ce6a5660b68fe399ecb24d3737652ffafe412f6023e9f879fd3a57c

SHA512
4099a36c749fe1f776b38dc0805e93b0893d3c42f499021537f0e7ea07f613f647ec82a0a6c5c451a8da48642e33b9dce6fd4509b7e3ea60355a7b8d9092af5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab58EB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar590D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1292-7-0x0000000002A70000-0x0000000002A73000-memory.dmp

Filesize
12KB

Download
memory/1292-143-0x0000000003B40000-0x0000000003BB9000-memory.dmp

Filesize
484KB

Download
memory/1292-6-0x0000000003B40000-0x0000000003BB9000-memory.dmp

Filesize
484KB

Download
memory/1292-4-0x0000000002A70000-0x0000000002A73000-memory.dmp

Filesize
12KB

Download
memory/1292-3-0x0000000002A70000-0x0000000002A73000-memory.dmp

Filesize
12KB

Download
memory/1320-264-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1320-42-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1320-0-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1320-468-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1320-734-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1320-748-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing