d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969

General

Target

d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Size

536KB
MD5

72c4cff05ed8d2efcdeda6b6be956984
SHA1

3d316a33ddb97e229684bbcd5cb797715fd82479
SHA256

d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969
SHA512

e8266d3dbcd5184f33ae7aec45f490849ad658bf5d12c9bd5fc1114fd9f0164626f559aade3a5d22c2a2a375fb8152a0263b1f5eef593d2a524267abf2ea0083
SSDEEP

12288:Jhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:JdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-14-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-25-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-26-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-27-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-30-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-37-0x0000000000970000-0x0000000000A72000-memory.dmp	upx
behavioral2/memory/3448-47-0x0000000000970000-0x0000000000A72000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3b07f0	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
3356	Explorer.EXE
3356	Explorer.EXE
3356	Explorer.EXE
3356	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Token: SeTcbPrivilege	3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Token: SeDebugPrivilege	3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Token: SeDebugPrivilege	3356	Explorer.EXE
Token: SeTcbPrivilege	3356	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3356	3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe	48
PID 3448 wrote to memory of 3356	3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe	48
PID 3448 wrote to memory of 3356	3448	d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe	48

C:\Users\Admin\AppData\Local\Temp\d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
"C:\Users\Admin\AppData\Local\Temp\d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
442B

MD5
17f2f2918c656deb42649f369428d9ad

SHA1
588c2f4a1a8bd2b8aa7d4411743bca82f2a224ae

SHA256
1f2884706bb35c41edc5a6ca9e9f3f8f5f7409d812e857983bcdcbce94b39984

SHA512
d2de8ecad685e4130259fca54a9018ff0cebd5e0492b4b00afc648432638320c88b9bfd26aff6a653ec653cbe14f841c18b64efc14f595993df7166364bee017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
b749590af291186718979e08e85dbc8e

SHA1
f2727c80e032526849b428e5e81289b75897f57e

SHA256
9f1c789841c18a8f900e05f4cb03f424d2cdf87467d746ad2c3ab7fb2cfb045c

SHA512
8e276fb02780384226bae0b51ecc3113ced24dbdb03576e6b559a22821a71f54c897809719fb52e81a75f64ae923cfbc791dbe8fc083289affa8f3a18e0de5ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
18de9d80abd30ac7feca3d7eba8a61a5

SHA1
e31226fc37dca760861e3f5f6528c0eb38dc022c

SHA256
af5548c07767d2bf8f39f97f8ea216abe44491cdadd8d430e5d3d026950a791b

SHA512
cab398d025cf09b8c93be5adfffa078713e01804e2b806f8eedc25af43a56d906bb4eafd96b11db91c59d52b0e00cd48af37b6bf8de0744b8628f56d3e2e9a54

Download Submit
memory/3356-3-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/3356-16-0x00000000030B0000-0x0000000003129000-memory.dmp

Filesize
484KB

Download
memory/3356-4-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/3356-7-0x00000000030B0000-0x0000000003129000-memory.dmp

Filesize
484KB

Download
memory/3356-5-0x00000000030B0000-0x0000000003129000-memory.dmp

Filesize
484KB

Download
memory/3448-14-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-0-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-25-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-26-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-27-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-30-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-37-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download
memory/3448-47-0x0000000000970000-0x0000000000A72000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing