0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca

General

Target

0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
Size

536KB
MD5

83816b3f2f9022b5f8222084693a982d
SHA1

93645cd1b0ccf3cef2b0228e433c22457779c09a
SHA256

0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca
SHA512

e5ec75eeeb5f99853b9d4d78d5f15f2788b30d2ce719999ad3a54c90f205c1b924072e84db1c077c9ad52df77748849160d1b7fa0dcca1dbbf08b177cad69b55
SSDEEP

12288:/hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:/dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3984-0-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/3984-8-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/3984-17-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/3984-21-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/3984-28-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/3984-36-0x0000000000F60000-0x0000000001062000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\443520	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
Token: SeTcbPrivilege	3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
Token: SeDebugPrivilege	3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
Token: SeDebugPrivilege	3376	Explorer.EXE
Token: SeTcbPrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3376	3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe	25
PID 3984 wrote to memory of 3376	3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe	25
PID 3984 wrote to memory of 3376	3984	0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe	25

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376
- C:\Users\Admin\AppData\Local\Temp\0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe
  "C:\Users\Admin\AppData\Local\Temp\0f70403b092855dd934c1e587bff33b05cf583351a4510e24c2557552e91e1ca.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
f4704e4373e961459bb62a5d06d36a06

SHA1
3ae524d2f6b5ec83c20e378d6e0c5764e276d9d4

SHA256
daed1871001185edccf1eae9d71fee0db26cfbcffffa910513487d72bf6dcde6

SHA512
9cbf66f8d992103dbd4277904ce18c3601783d8afab937fcf8bb85d6f70b47511318413bd72f5555aeac4248ba033eeb26aeba4023552678c00e9a8b45d56ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AAD646CB44373074ADE741C38400E7E1

Filesize
687B

MD5
4efd4f6d9c6d2fb581a0c0e0387fdce7

SHA1
7364d619fa43a3bcd6a2c379babe9169cded47ef

SHA256
20558404e4f5f7db54804fadbf4cec1b84a379ceaf42cee92014528008a3a693

SHA512
ad1c1d947d1958b9d3179cb3884c392da52470b55ab923e5e4a1577ced36b571370ab4a5a65fff39f4d614614107dc4f40fec6f86383478d5fbe751b3dbdf635

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
91b68232dc4ff05ffff40d835e3901c9

SHA1
0cc9213932316b9725d096bc53e9e2395778bdcb

SHA256
9e088fc648ac78cc2868179e2cf53ccb0de488cfb8738acecf0a3ed8b116df28

SHA512
75a82d8719a106877da1a7637e93d889e93b75aa3c553c7bd1d0391c92242390ff8b7101214c88cbd494f498776efb7bc65c50e374048039e94a920a559bb5f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AAD646CB44373074ADE741C38400E7E1

Filesize
192B

MD5
386d6b7a64d28b982ddb6b2f7d01afe8

SHA1
e9deb45d5dc38150a0caf92bbedadffa321f184e

SHA256
3bf3cb891db07cecc2dddcf9c23e6a7e558963871c3d63c9a879b8f7df0760d3

SHA512
1823c6f0e690c34ec317909eee8bb0b21c3068f094f5b0925a497a14d669c1144896a06332a25f4e68b59c436962a56336a1806cd488441fe6f73297fd2248e6

Download Submit
memory/3376-10-0x0000000002920000-0x0000000002999000-memory.dmp

Filesize
484KB

Download
memory/3376-7-0x0000000002920000-0x0000000002999000-memory.dmp

Filesize
484KB

Download
memory/3376-4-0x0000000002920000-0x0000000002999000-memory.dmp

Filesize
484KB

Download
memory/3376-5-0x0000000000920000-0x0000000000923000-memory.dmp

Filesize
12KB

Download
memory/3376-3-0x0000000000920000-0x0000000000923000-memory.dmp

Filesize
12KB

Download
memory/3984-8-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/3984-0-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/3984-17-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/3984-21-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/3984-28-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/3984-36-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing