792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a

General

Target

792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Size

536KB
MD5

c5d6a4fa143ac31363704dc823865e0b
SHA1

2d11b2e794c91dabbe1b3b81d94813d6e004242c
SHA256

792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a
SHA512

e904515e437f88e0e17a7c791b44f4b6f7a40094fbc507c90e58678de7a1f29d4970d9a10699803434e5670f8afb35dc5a41a02c464950989d9f47b87b1d3181
SSDEEP

12288:Khf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:KdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4416-0-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-1-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-12-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-20-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-21-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-31-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-32-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-37-0x0000000000830000-0x0000000000932000-memory.dmp	upx
behavioral2/memory/4416-49-0x0000000000830000-0x0000000000932000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4b9a80	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Token: SeTcbPrivilege	4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Token: SeDebugPrivilege	4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
Token: SeDebugPrivilege	3512	Explorer.EXE
Token: SeTcbPrivilege	3512	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3512	4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe	55
PID 4416 wrote to memory of 3512	4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe	55
PID 4416 wrote to memory of 3512	4416	792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3512
- C:\Users\Admin\AppData\Local\Temp\792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe
  "C:\Users\Admin\AppData\Local\Temp\792df32c2d0ed171aecc2b0de36fbce3eafd961572f9a540ab732e8156485a7a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
338d004ad754cc2c0a09884cfaee1194

SHA1
e24402834700690081d470616d19a7c98177ccac

SHA256
ce1b358d81353681e5c79de41a348187cf2137b6c5ef74d0812e11f1b954675a

SHA512
5140b1cdd72d16096490cf8c9f0f6ecd7bf5ee4f2791f2e7628d4b41e85ee43278cb41a4da7a1ae74eddc7b6e74cb1d58036164e3db927e441ab0781a71070c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
43bfb505a22561e271d517dc3df30874

SHA1
081c259c6adac2f2ab606d3050d2e28295aee470

SHA256
db13da2d53774657133b3a45d64dfc113eec29ac4b1c1ad5ba6fc83620bee6c3

SHA512
586bd7147a43b9a73d3f59f4a6986dfce0012a70fdcef08c20bc1b8d81db0b525156d9eab6cfb48820b42b0478b8711edf22235c067ae6ad2c798f3030dd1203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
1f2b4a2b0c4481d4ce53ca994cc01c22

SHA1
35b3db81c09c3a7db790ad1880187405861c6f86

SHA256
aeb45a5b3f86058c03dc945cae030949a3da80287cc14a83c7cbe99524774d10

SHA512
3cfde240aa55637f8c360f0e65f3b416478a025dd8fee7db41d9bce8c65da6f5f6b555d673aefc22f1e26cc0e17023f8cf5ea1e2e0026cf1ccedcae4fb1646db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
c6bfa3df451c41a39c72f5fe4ab7ae8d

SHA1
46a96ff295ebeb6afe36b4005b09cc3c7967a3b9

SHA256
4b7d3509c6ff3a764858c0966ccc60ca3fa33563c40316651bfcece8f891f15c

SHA512
8f1d29bff876d48e9d023208ac80cf2a08abd9fcaa9eb50ccd45ca2a6b761fdef54eed562b3997faefa185306d9e15880e8e856a138a6cf5678a412c550dd892

Download Submit
memory/3512-8-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3512-6-0x0000000000640000-0x0000000000643000-memory.dmp

Filesize
12KB

Download
memory/3512-4-0x0000000000640000-0x0000000000643000-memory.dmp

Filesize
12KB

Download
memory/3512-18-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3512-5-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/4416-20-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-0-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-21-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-12-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-1-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-31-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-32-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-37-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download
memory/4416-49-0x0000000000830000-0x0000000000932000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing