792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Size

536KB
MD5

c5d6a4fa143ac31363704dc823865e0b
SHA1

2d11b2e794c91dabbe1b3b81d94813d6e004242c
SHA256

792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a
SHA512

e904515e437f88e0e17a7c791b44f4b6f7a40094fbc507c90e58678de7a1f29d4970d9a10699803434e5670f8afb35dc5a41a02c464950989d9f47b87b1d3181
SSDEEP

12288:Khf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:KdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000001380000-0x0000000001482000-memory.dmp	upx
behavioral1/memory/2644-15-0x0000000001380000-0x0000000001482000-memory.dmp	upx
behavioral1/memory/2644-244-0x0000000001380000-0x0000000001482000-memory.dmp	upx
behavioral1/memory/2644-357-0x0000000001380000-0x0000000001482000-memory.dmp	upx
behavioral1/memory/2644-610-0x0000000001380000-0x0000000001482000-memory.dmp	upx
behavioral1/memory/2644-615-0x0000000001380000-0x0000000001482000-memory.dmp	upx
behavioral1/memory/2644-626-0x0000000001380000-0x0000000001482000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2d4428	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Token: SeTcbPrivilege	2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Token: SeDebugPrivilege	2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Token: SeDebugPrivilege	1420	Explorer.EXE
Token: SeTcbPrivilege	1420	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1420	2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe	6
PID 2644 wrote to memory of 1420	2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe	6
PID 2644 wrote to memory of 1420	2644	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe	6

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
- C:\Users\Admin\AppData\Local\Temp\792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
  "C:\Users\Admin\AppData\Local\Temp\792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77370e6017ae093df171f69b96ab9a40

SHA1
583bc16a555bbbee547c45d75ef21313eeff5761

SHA256
71baa15825ef2ee76a652086216237752b65eaa43a4278b4e77c697f1c07f2dd

SHA512
a8aaba7b707d664be4df9a29cce01764507fffee5215da498291097f033cf93d8649287b862f904ad904e303e944d9b77b2969d0aa6004491038385f325a6774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e175da48a7a086c1525f704312ebfd0f

SHA1
5f292bbe1f235c59e223ef6730add48ffa255dd2

SHA256
f4ffb6ad892d73f01fb651d990d8852bfd8f1a2ee3faa45a1039c08b5ba0496c

SHA512
8d5554178e771b1fa8798222e855cb36a9aa4a41ab527cab2b9e53f805b957209774ce720b06f0b954b346e216513d8ae49aadd91fbf42756f5047c94c463bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
607dbe571e17ea095918e656b18c6518

SHA1
f0fdddcfb47f60b20f6641726e7a2120ca2d4505

SHA256
280f6d76dd8398175295fb69ef6ec5b53def42d3d54dfddc10a70d7242354bf6

SHA512
e50d7e60afa676111ab675bd0871a35a09795cae5a6d1ca00cf96ef939a4e6f981da18eb750bbec37272942d972b297aae15efa630c2569896cb8d72ed40803e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21852ffbfa36d15241c6b7236fc68611

SHA1
47db642b5948985d34855c1a18da4f7fb866ab86

SHA256
439d22d41266c2e469c64f709b071b2bd7e37831223417f8414bad310fead9d1

SHA512
9a2bab357dd05d3b00c7fa5c780bb30b69b8d6e2e29f5df98eb7b9be753c8ef2cbf75547afa3195d71486df69f628acc18a5be6f2ed905b8f611c655feb1d160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed8e4037641ce318d8c3aef3fe3c1116

SHA1
c97759f937389a343f7b1c93f0f85c5d8e9d4373

SHA256
4f322062eff5a304cfbdf01cf5eaf5313b91fde426103a3d18a05252a0e08de3

SHA512
4238abbf7851aba61b688b617c8dbf6788551e5bb39b5038fce01627e3786c244a03bbfd5b37ce90577f1390dbf0c6157bf0ca7f064a318d7e0a0f49c015d8ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67752916b09b2b8d0c3dfc8272234dca

SHA1
a1260b8e182a4c6693fb1dec5ee6c6d769374d03

SHA256
1e93c9a0af36a8ba6cacfc9c05f3614b38bc6b98f00e7e311180f54b50632267

SHA512
c26576eef98a8378f66745228ab14b7ec94e1b2be69ecc57ef12e77faff442b7f61e2b53be27b91b148e7672fe65d9da2a9a8dfa172e30fce1565b4f1b4eac27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f48ded049d9a0687e9557764973fbd1

SHA1
1988d113217fe1cac7e0f73be903e6dcfc2bf844

SHA256
af02acc379b3a484ed41d881414d869abf3b9a88552e7f897bb47396de3bf7e9

SHA512
d58a4da901721750ea531ddb833f89b31bb58bc75a89ff05a0a895b1e1297bba7dd955333ca46aa7df9df698c23de2a4e80979bf77dfe7d684a8be5d3bd8782c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f9b117814e1970cbeb45e00c16c20d3

SHA1
b8eaa757be499e885c616d362c98bc994f0ec9b0

SHA256
db4f507ece9c95a1e99774f07de1c434ededcfe7d87d2c4ee398aa47f96afc4c

SHA512
0bc6a49731e5a8919376b77db6f2ed8cca2f3d47ee8eb093a9bdfcf3f2c7ad4e24d8638642924b737246a084970f068987b5b249e15ddb9f76e632858aedb5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE716.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAC1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1420-7-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download
memory/1420-6-0x0000000003FC0000-0x0000000004039000-memory.dmp

Filesize
484KB

Download
memory/1420-4-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download
memory/1420-3-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download
memory/1420-17-0x0000000003FC0000-0x0000000004039000-memory.dmp

Filesize
484KB

Download
memory/2644-244-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2644-0-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2644-357-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2644-15-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2644-610-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2644-615-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download
memory/2644-626-0x0000000001380000-0x0000000001482000-memory.dmp

Filesize
1.0MB

Download