5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4

General

Target

5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
Size

536KB
MD5

ccaca9a9268079a40f27f3139bcc571c
SHA1

27b639a6849509f3d4ac71b8e93fe7f1e8c8e3c0
SHA256

5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4
SHA512

654cf884733d674b41471f84e66bd95228a756a8e9ee417ce4b46e19ab8d8960110c0544b81a1720c84ab7ec0bcd034789e703a8ca69223402a60843aba11f19
SSDEEP

12288:ihf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:idQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4028-0-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4028-14-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4028-25-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4028-26-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4028-29-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4028-41-0x0000000000890000-0x0000000000992000-memory.dmp	upx
behavioral2/memory/4028-65-0x0000000000890000-0x0000000000992000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\44f5f8	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
Token: SeTcbPrivilege	4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
Token: SeDebugPrivilege	4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
Token: SeDebugPrivilege	3392	Explorer.EXE
Token: SeTcbPrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3392	4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe	48
PID 4028 wrote to memory of 3392	4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe	48
PID 4028 wrote to memory of 3392	4028	5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe	48

C:\Users\Admin\AppData\Local\Temp\5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe
"C:\Users\Admin\AppData\Local\Temp\5303467406bd52893c4a9316f100f41e0305ac9db74df6bf9419fde39ea61ea4.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
644b9543129b090d96762a5b22d3a375

SHA1
66553457cfc949885966916288632d5ff123fe66

SHA256
ba7ac18f23565ab7a401f10ad34a62d89b19421c4b309cb918ac224c768fb07b

SHA512
a58db26ca794968cc972bbfc026b0a7dbb6d425ec99dcaf9fede9d432d333030236030bd71374a712a09360f60e6b8f16bad3f145e0381b34657dcbf5a6128e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
17b9c98d0ce6b6fe87cc63f06195ee27

SHA1
b9278e370271d09bea0a48e644af7e681604458b

SHA256
a15fc92ff66886df7d5f65cd8bbd22d408653b17cd90931d0569f2a971e6b9bf

SHA512
6d2be620961345a718d96fdd6558bf14682cde86dabb3ef3f69794c77a5e05920947c5df33a2632c5e36324573d89af261babe91bb0d85b2864cc522a3ef84de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
c9a6dce9bdebf168bffc6d3f12c3be8d

SHA1
6b0b42a149fac0d48c2e038e8bff5e7cfde5a299

SHA256
bd09fc115efbe39a4b6e197761dbbef18eb7eef295981275cb6bf9fb62d78bdf

SHA512
aa187955bbdb61f9033b03729be09f9278fb6fe7358b5b0b39ab88e1f0f6c3b0f81030736cc23262b944f2f77aae6b169f38acc59a2bc45709f00504b22b1941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
564ffa383bbf3a8f9875bf1cf54c417a

SHA1
56b561711bb3a5222728d2177b3760aadf8d6b79

SHA256
d81d77f60ac29fb1002951016e1d59fbdca222032684b1d9ab1efca4ef7c8f60

SHA512
0531e0c9aad7edc08861c22176911032d4dbd7a13aa9276ce450ece8d840913a170b4775fe1f7a2284da667fe37c2d164fbb7c4f5f4f9c9264d0003d9b05c115

Download Submit
memory/3392-3-0x0000000002820000-0x0000000002823000-memory.dmp

Filesize
12KB

Download
memory/3392-16-0x0000000002E30000-0x0000000002EA9000-memory.dmp

Filesize
484KB

Download
memory/3392-6-0x0000000002820000-0x0000000002823000-memory.dmp

Filesize
12KB

Download
memory/3392-7-0x0000000002E30000-0x0000000002EA9000-memory.dmp

Filesize
484KB

Download
memory/3392-4-0x0000000002E30000-0x0000000002EA9000-memory.dmp

Filesize
484KB

Download
memory/4028-14-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4028-0-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4028-25-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4028-26-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4028-29-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4028-41-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download
memory/4028-65-0x0000000000890000-0x0000000000992000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing