0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803

General

Target

0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
Size

536KB
MD5

5834ff7c2403151983fd30f7bf5771cc
SHA1

a5b1b92b50d60625b05805e20d9677dcbf7cc4c7
SHA256

0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803
SHA512

e4b62031df834028aed18a6c364776642da8e102c66c8e03bcf9ab9f86433f35287d88c6bed8e57a0d05bb57621f3adadb3cfa9c3fcbb5309ccbad456c6a41e5
SSDEEP

12288:mhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:mdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-0-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-8-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-19-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-26-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-27-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-28-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-31-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-43-0x0000000000370000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4928-66-0x0000000000370000-0x0000000000472000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\545e80	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
Token: SeTcbPrivilege	4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
Token: SeDebugPrivilege	4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
Token: SeDebugPrivilege	3380	Explorer.EXE
Token: SeTcbPrivilege	3380	Explorer.EXE
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3380	Explorer.EXE
3380	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3380	4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe	44
PID 4928 wrote to memory of 3380	4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe	44
PID 4928 wrote to memory of 3380	4928	0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3380
- C:\Users\Admin\AppData\Local\Temp\0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe
  "C:\Users\Admin\AppData\Local\Temp\0a108a13d62926524680d6b68b2778f7ac1436d2322a07fc8aacbf09ac930803.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
9b09add0d082a7a416c17d5a5b1240c0

SHA1
4a46f18e2506e83623ec022733a89a441f8f920f

SHA256
b2691a87580463fc83284b0622d2a8bb42b4400224f956ede2cc1ab95c9037c6

SHA512
a9f9c901573cfe918b259a309ba7ee2d9ac71a94fb3f7538c30a069fd2f174b9b64eae76fb6ae454997d1c5b009d10cdd80559aa01a1d8f46a6d02de258a8784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
f4704e4373e961459bb62a5d06d36a06

SHA1
3ae524d2f6b5ec83c20e378d6e0c5764e276d9d4

SHA256
daed1871001185edccf1eae9d71fee0db26cfbcffffa910513487d72bf6dcde6

SHA512
9cbf66f8d992103dbd4277904ce18c3601783d8afab937fcf8bb85d6f70b47511318413bd72f5555aeac4248ba033eeb26aeba4023552678c00e9a8b45d56ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
a29aa6221242b246af68d90f6d2b70b0

SHA1
19b24cc563611d20cfbc420b0db4846d17195202

SHA256
b541a0584ee8424a089d2fffbe51a8c3461168fad222ad7951ee1f2671df1521

SHA512
50bac0a131a5075fabd1b4254c0e6e71e52c168fa88d62a277ba2c838028e37746e09348fa5fd5b6424b6b44545f27f9d22c7863b28587ca49aa9af293fbfbe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
9d3776ae898414db55939f601d4d1ec3

SHA1
7eed9edf345d9069c4363fe85770100d1fb80471

SHA256
8ced81be10d62896d84dd5348385ee46a707313e346979a2623a28b7ff90bfc3

SHA512
7ebb2188f4d8f00e26fbce5b46a03dafcb1a7cc3565af97313bfa23ee47c004adff680f0e06051fb93114e4717dd3c67a8121815fb18013fdfc6e45f7032bdae

Download Submit
memory/3380-6-0x0000000000B80000-0x0000000000B83000-memory.dmp

Filesize
12KB

Download
memory/3380-7-0x0000000004D90000-0x0000000004E09000-memory.dmp

Filesize
484KB

Download
memory/3380-3-0x0000000000B80000-0x0000000000B83000-memory.dmp

Filesize
12KB

Download
memory/3380-17-0x0000000004D90000-0x0000000004E09000-memory.dmp

Filesize
484KB

Download
memory/3380-4-0x0000000000B80000-0x0000000000B83000-memory.dmp

Filesize
12KB

Download
memory/3380-5-0x0000000004D90000-0x0000000004E09000-memory.dmp

Filesize
484KB

Download
memory/4928-19-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-0-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-8-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-26-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-27-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-28-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-31-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-43-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download
memory/4928-66-0x0000000000370000-0x0000000000472000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing