cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c

General

Target

cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
Size

536KB
MD5

8d8480a26de222eaad29882ed688f472
SHA1

e385ebed402c5fdc8a797354a2f5c51f9487c1a8
SHA256

cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c
SHA512

1ef275cc2f9e2e651e1792b57c332c86c6bbef3cc33f7ea8f4d2d55eeafd49c4fbf1a29b7db20ad434bc5ef3174d517dbd8611841c210a82951a805d13551adf
SSDEEP

12288:Hhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:HdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2664-0-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/2664-11-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/2664-25-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/2664-26-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/2664-33-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/2664-46-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2d9bd0	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
Token: SeTcbPrivilege	2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
Token: SeDebugPrivilege	2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
Token: SeDebugPrivilege	3412	Explorer.EXE
Token: SeTcbPrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3412	2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe	35
PID 2664 wrote to memory of 3412	2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe	35
PID 2664 wrote to memory of 3412	2664	cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3412
- C:\Users\Admin\AppData\Local\Temp\cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe
  "C:\Users\Admin\AppData\Local\Temp\cd362194b28b1129438f775345081e48437371d97133a4050ffc86338abdf87c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
fea30b5dc23230b33de9328e0234fd28

SHA1
b2e00f3b1f16a6f6a20697959f91836ec8abc3da

SHA256
646f6414abe0518c898831bd02b332cd22e1b6386c89733e36e68c4adecf7876

SHA512
e059cd42f0ecf14519b225dd343404c82e96c3c2d84765d779021240c258fbcc186968bbb1995efb12a8687c6e6e6b4cc67c5148a265eba0e61815d48ad91ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
f4704e4373e961459bb62a5d06d36a06

SHA1
3ae524d2f6b5ec83c20e378d6e0c5764e276d9d4

SHA256
daed1871001185edccf1eae9d71fee0db26cfbcffffa910513487d72bf6dcde6

SHA512
9cbf66f8d992103dbd4277904ce18c3601783d8afab937fcf8bb85d6f70b47511318413bd72f5555aeac4248ba033eeb26aeba4023552678c00e9a8b45d56ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
d5ebf05059b6f67696f45b2d924bba2a

SHA1
3e014ea0b4f7aa89e8324964bb8be44cdd02848e

SHA256
74b7752871498001bed382289f0d06a4a34c87ef2016a2be1d40deab2e1d7cea

SHA512
62290343c739293c5f39ffcfe95eef4d277578c3ea2cd4531e52af30b7a0c5b5ea0b66b764d7b3af3e78720fc63bec6b31067460ca2b6928bd5139219f556034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
e1ab3ec7c9014dccbbe0b9f5e96124bd

SHA1
d7c69988332dc1ec753f0c6ee859967470629858

SHA256
cb7d4fff88dbe9540a53f03f430413140df78140290fce09631391432d0e1b87

SHA512
044569181feff0d4fea41a16c681fa02d4d320772a7371b3262609cd57e9818fbe2f075d9747fb45629b9ba31b180356d81a71081d2686d259d811e8aa3ba966

Download Submit
memory/2664-25-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/2664-11-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/2664-0-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/2664-26-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/2664-33-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/2664-46-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/3412-4-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/3412-16-0x0000000003800000-0x0000000003879000-memory.dmp

Filesize
484KB

Download
memory/3412-5-0x0000000003800000-0x0000000003879000-memory.dmp

Filesize
484KB

Download
memory/3412-7-0x0000000003800000-0x0000000003879000-memory.dmp

Filesize
484KB

Download
memory/3412-6-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/3412-3-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing