da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935

General

Target

da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
Size

536KB
MD5

430b555bb62c9a65824b1a96d0eafd1b
SHA1

f1b9d8c31298e9c8dc3a4b96e77d0ffde1ed7835
SHA256

da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935
SHA512

97a728f186954648a1dfa47e71bcbb6ebccf05eb849d4c2295ecfd8580a6cb4087ee2e49c35b6260a80449d7ef55a08aeaa5a8e5e88c648277d8d52c92f113ee
SSDEEP

12288:rhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:rdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3152-0-0x0000000000570000-0x0000000000672000-memory.dmp	upx
behavioral2/memory/3152-14-0x0000000000570000-0x0000000000672000-memory.dmp	upx
behavioral2/memory/3152-25-0x0000000000570000-0x0000000000672000-memory.dmp	upx
behavioral2/memory/3152-26-0x0000000000570000-0x0000000000672000-memory.dmp	upx
behavioral2/memory/3152-30-0x0000000000570000-0x0000000000672000-memory.dmp	upx
behavioral2/memory/3152-42-0x0000000000570000-0x0000000000672000-memory.dmp	upx
behavioral2/memory/3152-66-0x0000000000570000-0x0000000000672000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\35f6a0	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
Token: SeTcbPrivilege	3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
Token: SeDebugPrivilege	3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
Token: SeDebugPrivilege	2640	Explorer.EXE
Token: SeTcbPrivilege	2640	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 2640	3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe	13
PID 3152 wrote to memory of 2640	3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe	13
PID 3152 wrote to memory of 2640	3152	da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
- C:\Users\Admin\AppData\Local\Temp\da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe
  "C:\Users\Admin\AppData\Local\Temp\da8791002b6af34e99103220e3e6d078a24e4848f50977cc10e7281b48191935.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
6f2fe23b3a9817243e2e1e61d5fa9593

SHA1
68f501cfbe9abdf1a121b71155c6a52ef5c74870

SHA256
055634aa6efc859784b584eef57d621586c3964b9578fa3fc2614fcc3dae8feb

SHA512
07c1a03120c05f88a0aa89d93d53ee7c721306af166f363570c8200fd72cb8a532f9a656d3336fe53416978b07c65668c21cd178952ff518d1663bf5095ee538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
f4704e4373e961459bb62a5d06d36a06

SHA1
3ae524d2f6b5ec83c20e378d6e0c5764e276d9d4

SHA256
daed1871001185edccf1eae9d71fee0db26cfbcffffa910513487d72bf6dcde6

SHA512
9cbf66f8d992103dbd4277904ce18c3601783d8afab937fcf8bb85d6f70b47511318413bd72f5555aeac4248ba033eeb26aeba4023552678c00e9a8b45d56ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
fc69943acdbbd0e033eafbed59cebcda

SHA1
a77f16cf7c4a07dc25e133fc93c79694c0c6df47

SHA256
37dee40f07424bb893ed093fb428e2c0b8e273fd6fc2d48a387d4f6d1a989f58

SHA512
4b8c8f4a16a7c5e5eb0c64465ecf57ad9a7c7a0b9f70c371d9b51fec3ca04b9a0a9ffd61e528e1ba303e244660ef9c5d0807fcd7fad6b5263fa1ec8a5a435ed3

Download Submit
memory/2640-5-0x00000000033E0000-0x0000000003459000-memory.dmp

Filesize
484KB

Download
memory/2640-16-0x00000000033E0000-0x0000000003459000-memory.dmp

Filesize
484KB

Download
memory/2640-4-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/2640-7-0x00000000033E0000-0x0000000003459000-memory.dmp

Filesize
484KB

Download
memory/2640-3-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/3152-14-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download
memory/3152-0-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download
memory/3152-25-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download
memory/3152-26-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download
memory/3152-30-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download
memory/3152-42-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download
memory/3152-66-0x0000000000570000-0x0000000000672000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing