83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c

General

Target

83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
Size

536KB
MD5

f724c2983095895cdc4ba446fb001b4b
SHA1

6b19d9f15b32603f88ff6cd835706d03a0e81d42
SHA256

83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c
SHA512

24a0accd5a8379f06f00463d5e2d218a1cdb44a075e511c3c25b10a2667bb9d5d3f93b94f24305c449af42b19a97169e9e89759314df902c61f30080b1b4396f
SSDEEP

12288:xhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:xdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3684-0-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx
behavioral2/memory/3684-1-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx
behavioral2/memory/3684-8-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx
behavioral2/memory/3684-21-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx
behavioral2/memory/3684-31-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx
behavioral2/memory/3684-36-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx
behavioral2/memory/3684-46-0x00000000005A0000-0x00000000006A2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3f1248	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
Token: SeTcbPrivilege	3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
Token: SeDebugPrivilege	3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
Token: SeDebugPrivilege	3464	Explorer.EXE
Token: SeTcbPrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3464	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3464	3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe	39
PID 3684 wrote to memory of 3464	3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe	39
PID 3684 wrote to memory of 3464	3684	83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3464
- C:\Users\Admin\AppData\Local\Temp\83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe
  "C:\Users\Admin\AppData\Local\Temp\83bd693d613a9d558de39953458377fddc1fee3480fc020df38c90baa087cb3c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
546ffcad0416c555276c939c26529c14

SHA1
c3bae4c4ab20d1f6a521561ef4ddb2f2ed938998

SHA256
6776f85d82b590deaa225251eefdcd4576fb84b1c2156b93a60f4d8cc06ee070

SHA512
a69e2d363919e14cd42d54fed99b6b32bf567175df51e0bd1684d0f621900997e2c27d3c358966509156d3ac431b4518abe3aba63876fedbd6c6a0802c5d8c04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
53986d15ba8841a152fade41689cf05e

SHA1
987d8fa69bb532198d92e96e4f78148dd73c578f

SHA256
330df33a92562e50a7b48baa1ed3701d85944217259b8cd0bebbe3c619f53cd2

SHA512
557bc6c1da1a68c7d6afbf350d38c5b12b384ced3fbe29b0fb27f2b2e378865d7fc99bdfe0c2be2d1d36d70312c9965ee41c844898e0891ed7c972e154ee109f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
2b77c37d75740d385f97b2ff9f0473fa

SHA1
99b4f1e1609dbaa6ecde2cb1f3d0a9c7cb086c88

SHA256
074c9278a3a00090b8f67175934425ff4b207753e40e1569240a90701f7a5c68

SHA512
ab3b627795096fd10cc57cc8cc216571b434136997409142a82e051e1b59cb283407f1c348c5c1d7089eebe9af8ab8ff19246b0f3421c64eeb70f763d54e9958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
d4b13ededdca7f2527d728cab93f9e52

SHA1
85457f4bf648a3579085bf5d80c782a38140ddc1

SHA256
c9cb0fffdc18ce5c9566312828bfa32ecb1e46e39336e92d882bdbea8d8e6fad

SHA512
e35ddff2dcf52616a4c6e272f3b1d92fd90fc0e50cb8ef3c0e8beec9798497f1e692f59c254f5bcbf17f867820406266346021b8a0e5f0d22d5250af398d9800

Download Submit
memory/3464-6-0x00000000080C0000-0x0000000008139000-memory.dmp

Filesize
484KB

Download
memory/3464-9-0x00000000080C0000-0x0000000008139000-memory.dmp

Filesize
484KB

Download
memory/3464-7-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/3464-18-0x00000000080C0000-0x0000000008139000-memory.dmp

Filesize
484KB

Download
memory/3464-5-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/3464-4-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/3684-8-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download
memory/3684-21-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download
memory/3684-0-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download
memory/3684-1-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download
memory/3684-31-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download
memory/3684-36-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download
memory/3684-46-0x00000000005A0000-0x00000000006A2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing