691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5

General

Target

691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Size

536KB
MD5

43ad31cd07d54429cb9d820d37acbf3e
SHA1

85dd8f39eb163d82c8e9ff64ebbcc08b288c17ad
SHA256

691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5
SHA512

18647d264bf7f4bcca92f0a81da80b615bebf7145e049403cd77ed4103f342dab7be61e63b5c7b958ca320735cf708c2cc33d989fc8a5f80fde8b6f080d1d825
SSDEEP

12288:qhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:qdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-0-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-8-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-25-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-26-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-28-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-33-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-43-0x0000000000910000-0x0000000000A12000-memory.dmp	upx
behavioral2/memory/3940-65-0x0000000000910000-0x0000000000A12000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\437448	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Token: SeTcbPrivilege	3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Token: SeDebugPrivilege	3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
Token: SeDebugPrivilege	3520	Explorer.EXE
Token: SeTcbPrivilege	3520	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3520	3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe	22
PID 3940 wrote to memory of 3520	3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe	22
PID 3940 wrote to memory of 3520	3940	691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe	22

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
- C:\Users\Admin\AppData\Local\Temp\691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe
  "C:\Users\Admin\AppData\Local\Temp\691911a7d1e81e9209e8487cd15052412b99be0c09be7befc3745fbe9cb132b5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
338d004ad754cc2c0a09884cfaee1194

SHA1
e24402834700690081d470616d19a7c98177ccac

SHA256
ce1b358d81353681e5c79de41a348187cf2137b6c5ef74d0812e11f1b954675a

SHA512
5140b1cdd72d16096490cf8c9f0f6ecd7bf5ee4f2791f2e7628d4b41e85ee43278cb41a4da7a1ae74eddc7b6e74cb1d58036164e3db927e441ab0781a71070c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
43bfb505a22561e271d517dc3df30874

SHA1
081c259c6adac2f2ab606d3050d2e28295aee470

SHA256
db13da2d53774657133b3a45d64dfc113eec29ac4b1c1ad5ba6fc83620bee6c3

SHA512
586bd7147a43b9a73d3f59f4a6986dfce0012a70fdcef08c20bc1b8d81db0b525156d9eab6cfb48820b42b0478b8711edf22235c067ae6ad2c798f3030dd1203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
69d62c39ced8fd0f4c701b0677d16a11

SHA1
bba6d8c82bfa3da15d7a6400758a40317ec63e14

SHA256
3c32d73fa716705443e0deb5ad2ea0116ca364cbd1d29c9bee5028e370109b33

SHA512
b12fa18ab28e1411af412ae5b9587f44ac3f7b7fdae1e5240a745ce3fedd73af4226a8fb94e7897b752f35a602d7f44099ea6664e8030870de6c9cfdfc7896af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
e7a1c2219b56d8987d7a72f71e6fcef2

SHA1
d7d0d10a0796c4c6239b7828e5550927d3e37cae

SHA256
0235dba67afc07f5bcace61ae9517616cf7f65c08ca73b3b75381edfefd1bccd

SHA512
3c1e68efe93d96ac5992faba7aa43d915a9953dfaa3861f73c03ff59ff72dc00a50dad2b2518ad96484ee7ac9b602b0ff0d03b4867537839e20fbc56f0a1c30a

Download Submit
memory/3520-7-0x00000000036A0000-0x0000000003719000-memory.dmp

Filesize
484KB

Download
memory/3520-4-0x0000000001430000-0x0000000001433000-memory.dmp

Filesize
12KB

Download
memory/3520-3-0x0000000001430000-0x0000000001433000-memory.dmp

Filesize
12KB

Download
memory/3520-16-0x00000000036A0000-0x0000000003719000-memory.dmp

Filesize
484KB

Download
memory/3520-6-0x0000000001430000-0x0000000001433000-memory.dmp

Filesize
12KB

Download
memory/3520-5-0x00000000036A0000-0x0000000003719000-memory.dmp

Filesize
484KB

Download
memory/3940-0-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-8-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-25-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-26-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-28-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-33-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-43-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download
memory/3940-65-0x0000000000910000-0x0000000000A12000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing