d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969

Analysis

max time kernel
14s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Size

536KB
MD5

72c4cff05ed8d2efcdeda6b6be956984
SHA1

3d316a33ddb97e229684bbcd5cb797715fd82479
SHA256

d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969
SHA512

e8266d3dbcd5184f33ae7aec45f490849ad658bf5d12c9bd5fc1114fd9f0164626f559aade3a5d22c2a2a375fb8152a0263b1f5eef593d2a524267abf2ea0083
SSDEEP

12288:Jhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:JdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx
behavioral1/memory/3020-8-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx
behavioral1/memory/3020-156-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx
behavioral1/memory/3020-405-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx
behavioral1/memory/3020-548-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx
behavioral1/memory/3020-587-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx
behavioral1/memory/3020-636-0x0000000000A20000-0x0000000000B22000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\33b418	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Token: SeTcbPrivilege	3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Token: SeDebugPrivilege	3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Token: SeDebugPrivilege	1252	Explorer.EXE
Token: SeTcbPrivilege	1252	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 1252	3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe	17
PID 3020 wrote to memory of 1252	3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe	17
PID 3020 wrote to memory of 1252	3020	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe	17

C:\Users\Admin\AppData\Local\Temp\d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
"C:\Users\Admin\AppData\Local\Temp\d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e483e82213102bbf40eecde6f04eb252

SHA1
c041cf1dbe1180f9571c51b3433a4943b84c9b6e

SHA256
797b3f672e82d894dcb419640993e05cdfa163226cbde33cf07489c66cfc2639

SHA512
f837e7e73c9659f65508e6ecbadcbd945385c79a3b2aa9f2b095c1ec9d0844ca9da532c92b27bd6c20378794b1c4e85755347e24ac75047e534f6d4fae801b32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
327b7329a3c5f28e5ebf324bd89ff97d

SHA1
09aad96e9162079b3cf3a1b758870da20dc5322e

SHA256
a0c2ea55a20bdc616e2fc886fec4f7d4c035465cf8ef52d30878bb478234718c

SHA512
96cf66ad179a9024336e17b7e99245e4092207a456001a1af0e42c9b2af46c3da6d8dc1c528251c60a47882d2de896e0668accff731a58becc759ff9e85ba6ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e15843f330552fc12789b25260a5c18

SHA1
8de99bbfa3f6bef09c081738f840c6a254e4ed91

SHA256
4cd377815c264e3f69a8c1eb1958d8918948bf9a064ddaf9cffd299a10a0929d

SHA512
b934f082a20dfb13c10ff32191331529372dccef5406abb263f979f8e92a6c206989683d3a4675db2c477daff171ec31ea1ee492811de98b059c551c31d003ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
703c4fc00a4af6e793633fb0c58ce1d8

SHA1
9f4cf7263c066032226cde808bc525fffffc9159

SHA256
664f0e0161602cb089f8175b1422495a00990d3e1165ff0dd591be0cb1287046

SHA512
a5668f187dd850e43d248e3e5127c1614d18f48676e6a21d7872d4114d736f2b6d12e560fbc7db75a2841a827b9784913ee77506a411793b1a81a4554b267343

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49848c6c9df9e3315a63e2811c5d8605

SHA1
76d80f8ddbe2f86deb927242212c5d95dd5c23a3

SHA256
053d3f0c39d160f29899d2adda1254a2c801c3fd13f324656a48d72e43e1ffee

SHA512
a78d98abaaf2454a9abfc71f1b159448cb1d29cd78826c5c39936569912afe75750029d50868c463fdfcef97a5cd578e60dc6abe60e0e06cc405f59130352e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e95bbc3abd81251e2229c0d8923336d

SHA1
34e57f8ec929f0c6eae9415f687edd961558a043

SHA256
7e3daf8ead91778ae7e91c0cb708fb17549b7ee8980c92de2056064759058cbc

SHA512
e669f3201ff6780ecdec84bd63293c8d9d4b125ebefdf80237de60346906b7f4f9747c0fcd095ce725f74107bf79ae5e8a8452d194f4972d6e316f3e6ddb76a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
410f87cd119aff7e58d09654d5604495

SHA1
eccb176dac9a478aa44387b27d4b9205db336619

SHA256
6b8cc0e1e04305aa78b5737ae106bb7a469c109fdff0e661a707deddd9ce0f5f

SHA512
7a945d000b9e603da58e219deb065ff671fa4ac646f59ece44a002cc6bec2d30dc54df9f8d9ff45dab1b5a79aa32fe53b69eb208502fbfd647184a3623f8d7fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a2135b0ab73a86d78d0a51ecca268bb

SHA1
1b74bffae6dd380823e2357bca3cfc8c72bc5c47

SHA256
24d811e0044052a2c0ff0439aefbcc012cd0587998c344dbb188304aa62103ee

SHA512
abfaca575b8ecb702967648aa29bc6324dd2bd14492bd9212b29a3c2e5158ecfbf5f293a0dfbd069517a5107741f0161c9521bf6716e1f7cfaf196d124d07a4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7f6a8594747668de2eba302e1149d36

SHA1
6ea947a68af0185779e182d05e88a5c6e91f34d1

SHA256
094640d28d76170ae478f25f002ed7eb26d334c5b1361646406c85f2fc504615

SHA512
18ed1f4e4836c5c853ff23a5ee7fb622a859f2daef17d75f30a43f8ba138e5e7f5d5effa41711504bacd65c93957824f81482fda6ce1fa101c588923c851a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fda497eaa10d8704acc249014504efc

SHA1
390fbf589c07b5e957f035310e3d347f192eebed

SHA256
c13c7fe773703a5fb35970bc0d7503fece19eb1a9cd73a5781af11ce93f15a89

SHA512
09ac9e6994fe4f93ea31422e914be1158202daae8e65d56f7ea0abc100cbd6c42490d9a1398e85a30890110b001c583b3c2ba72aa36db419fc07d19feac22eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D3D.tmp

Filesize
6KB

MD5
c6d875ae96fab75a3224e59ddd82081f

SHA1
6af8a55864af175fc43603fea89afb0d5b20ba31

SHA256
f9c2a2c869aefd0aa3a202321f75c7ed63d93f5bb9544bef4f92196a587111ce

SHA512
b5593f31a57ca42ad695767eaaf55cb3c18abe61cbe57d532fba2c689d4f2c0da28b7cd755bd2ed17112667a9ee20f66134676eddab98bebe2c8fad5ac8acbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D5F.tmp

Filesize
13KB

MD5
9b1062581cb73787c7061ab5085efce9

SHA1
ed665ae0c717c7a7be4444b7280dec2546a08dd2

SHA256
8fe378bfb6a0003cf268ed056f7266782cec918dae2aac2f124c9215b276644b

SHA512
088d774c3b752278a782b503be2de51e36c0b6c22bdc1f5f4819cab29f0f37af6aaaa00c63cbfa68e60c792d1019a175296c04cbb65cd66180056a45e9622830

Download Submit
memory/1252-5-0x0000000004000000-0x0000000004079000-memory.dmp

Filesize
484KB

Download
memory/1252-3-0x0000000002A30000-0x0000000002A33000-memory.dmp

Filesize
12KB

Download
memory/1252-4-0x0000000002A30000-0x0000000002A33000-memory.dmp

Filesize
12KB

Download
memory/1252-7-0x0000000004000000-0x0000000004079000-memory.dmp

Filesize
484KB

Download
memory/1252-80-0x0000000004000000-0x0000000004079000-memory.dmp

Filesize
484KB

Download
memory/3020-405-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/3020-8-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/3020-0-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/3020-156-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/3020-548-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/3020-587-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download
memory/3020-636-0x0000000000A20000-0x0000000000B22000-memory.dmp

Filesize
1.0MB

Download