5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c

General

Target

5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
Size

536KB
MD5

b730bfe1c6c0c5f14de82da2c3d1d040
SHA1

c7858fce16b6cf223e53c3039af6ddf9fbe6fbfe
SHA256

5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c
SHA512

38f040936543410f562f78d046dd0f1e4bb25a3702d1d6fd9adba3aa2cb6d7020a598962c708716f5f2184388aefadab3e4e71f504d3a58993e4a9af2b13efd0
SSDEEP

12288:ghf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:gdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3204-0-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx
behavioral2/memory/3204-1-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx
behavioral2/memory/3204-5-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx
behavioral2/memory/3204-21-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx
behavioral2/memory/3204-29-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx
behavioral2/memory/3204-33-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx
behavioral2/memory/3204-45-0x0000000000CA0000-0x0000000000DA2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\36da88	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
3480	Explorer.EXE
3480	Explorer.EXE
3480	Explorer.EXE
3480	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
Token: SeTcbPrivilege	3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
Token: SeDebugPrivilege	3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
Token: SeDebugPrivilege	3480	Explorer.EXE
Token: SeTcbPrivilege	3480	Explorer.EXE
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3480	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3480	3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe	45
PID 3204 wrote to memory of 3480	3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe	45
PID 3204 wrote to memory of 3480	3204	5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3480
- C:\Users\Admin\AppData\Local\Temp\5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe
  "C:\Users\Admin\AppData\Local\Temp\5f4033c7688d592e043157e06af1301adedc8c3cf07d3120c8c39da944a32b6c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
546ffcad0416c555276c939c26529c14

SHA1
c3bae4c4ab20d1f6a521561ef4ddb2f2ed938998

SHA256
6776f85d82b590deaa225251eefdcd4576fb84b1c2156b93a60f4d8cc06ee070

SHA512
a69e2d363919e14cd42d54fed99b6b32bf567175df51e0bd1684d0f621900997e2c27d3c358966509156d3ac431b4518abe3aba63876fedbd6c6a0802c5d8c04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
17b9c98d0ce6b6fe87cc63f06195ee27

SHA1
b9278e370271d09bea0a48e644af7e681604458b

SHA256
a15fc92ff66886df7d5f65cd8bbd22d408653b17cd90931d0569f2a971e6b9bf

SHA512
6d2be620961345a718d96fdd6558bf14682cde86dabb3ef3f69794c77a5e05920947c5df33a2632c5e36324573d89af261babe91bb0d85b2864cc522a3ef84de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
d34c8343ce2030c52f2ce267ba5045a9

SHA1
3d4abc9a8629c464adc8bf77c0a5fb6267db6d02

SHA256
a54f01028ae84d8ba0f1db6c0076ba294f0a0a8176931381da66c3f72d4e36b8

SHA512
02138e10e3fa452f48a031d66b93b47044490fec8aedb2758a29c88e6222b25bd38ca4c585d03653a3065439bd9aacf7b71294ca3192879003f48e92e04fc853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
95e7516b408bf9b9ebbc5ce7b147b23d

SHA1
0d4c0700f8a924f328393080470b1c2ff3a2a603

SHA256
45cc6dc014ec32f316e201bfbc5396b6d3cc35ac3c817d67a6605554715205a5

SHA512
45a1470eb7104c42c8ef82c2229425991774c41bf76e682d542bd8a6b531f127cd81de986df74b5d2743ee1b9bb2fcfc5804dd0d0ad3676551586b8e948100c6

Download Submit
memory/3204-21-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-0-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-5-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-1-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-29-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-33-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3204-45-0x0000000000CA0000-0x0000000000DA2000-memory.dmp

Filesize
1.0MB

Download
memory/3480-6-0x00000000036F0000-0x0000000003769000-memory.dmp

Filesize
484KB

Download
memory/3480-9-0x00000000036F0000-0x0000000003769000-memory.dmp

Filesize
484KB

Download
memory/3480-18-0x00000000036F0000-0x0000000003769000-memory.dmp

Filesize
484KB

Download
memory/3480-8-0x00000000035C0000-0x00000000035C3000-memory.dmp

Filesize
12KB

Download
memory/3480-4-0x00000000035C0000-0x00000000035C3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing