691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5

General

Target

691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Size

536KB
MD5

43ad31cd07d54429cb9d820d37acbf3e
SHA1

85dd8f39eb163d82c8e9ff64ebbcc08b288c17ad
SHA256

691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5
SHA512

18647d264bf7f4bcca92f0a81da80b615bebf7145e049403cd77ed4103f342dab7be61e63b5c7b958ca320735cf708c2cc33d989fc8a5f80fde8b6f080d1d825
SSDEEP

12288:qhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:qdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral1/memory/2896-41-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral1/memory/2896-264-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral1/memory/2896-404-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral1/memory/2896-574-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral1/memory/2896-613-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3194a0	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
1140	Explorer.EXE
1140	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Token: SeTcbPrivilege	2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Token: SeDebugPrivilege	2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Token: SeDebugPrivilege	1140	Explorer.EXE
Token: SeTcbPrivilege	1140	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 1140	2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe	12
PID 2896 wrote to memory of 1140	2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe	12
PID 2896 wrote to memory of 1140	2896	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
- C:\Users\Admin\AppData\Local\Temp\691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
  "C:\Users\Admin\AppData\Local\Temp\691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c37872ea665b7252a7c3c974fff3d286

SHA1
21beab6efecc5945cc61dbbe1f73cea4f12137db

SHA256
326e59a0ab8758eec9898dbccae18f8abb32d566949e865e2f0c33632ff876ed

SHA512
bd02e5a660a89e170999ac885176b69f4db7e32c1c3c0020e3f5b216f53bc9a76b82e3d4cd11424721d694053b5829e7ffb9873de902233927b0706a6aad3b57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
981b69ef5b28204309f9807291a5a516

SHA1
bcbf96d80396bab8b55bcaf2596481bcf61cde79

SHA256
48fe57df97f21de1b581cc28d0842af01baab4dfec4c84b1bcdd68d0d3e9d68e

SHA512
7423af2b68a7062201453c17b4c5097d93302f03daae22c11fcbe9e728fc399cb2599515123f0724bbb37b0642a5e49a835073a538a2aaa7988f2319e8ee226f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cf81742c139f559fb893d5459f8b2eb

SHA1
bbf99c03ef384e8a7c7123ab40871163cb5c91bf

SHA256
09dbed6645b55c8818c0bb2d7188263147af09e90e37dd2bda515d62ba77c395

SHA512
7a3771b6238709581ea774b76e33ae9fe101ba73e9f825916f7ce35bc90df6e79fa2f8668beccf4b5ff4f8953a1ee56e495a8be15151fe2493068510adf15db4

Download Submit
memory/1140-3-0x0000000002D90000-0x0000000002D93000-memory.dmp

Filesize
12KB

Download
memory/1140-115-0x0000000004310000-0x0000000004389000-memory.dmp

Filesize
484KB

Download
memory/1140-5-0x0000000002D90000-0x0000000002D93000-memory.dmp

Filesize
12KB

Download
memory/1140-4-0x0000000004310000-0x0000000004389000-memory.dmp

Filesize
484KB

Download
memory/1140-6-0x0000000004310000-0x0000000004389000-memory.dmp

Filesize
484KB

Download
memory/2896-41-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/2896-264-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/2896-0-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/2896-404-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/2896-574-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/2896-613-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing