36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c

General

Target

36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Size

536KB
MD5

f12f0c279d3f0748884c47afa77177f9
SHA1

0f25d6bfcb6a236bdae7fb2ff3de14c2879c82bc
SHA256

36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c
SHA512

6ee6a35773a090cde289c81b235e3d32244520428e1fb6a650dd44f2ddd7d1c7b24ffc2337bf0607944d6f11fca949940ea5f41aebb8afd2f6853b03a8215add
SSDEEP

12288:Ohf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:OdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000350000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2964-78-0x0000000000350000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2964-401-0x0000000000350000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2964-402-0x0000000000350000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2964-657-0x0000000000350000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2964-662-0x0000000000350000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2964-673-0x0000000000350000-0x0000000000452000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\32bea8	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Token: SeTcbPrivilege	2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Token: SeDebugPrivilege	2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeTcbPrivilege	1204	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1204	2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe	16
PID 2964 wrote to memory of 1204	2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe	16
PID 2964 wrote to memory of 1204	2964	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
- C:\Users\Admin\AppData\Local\Temp\36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
  "C:\Users\Admin\AppData\Local\Temp\36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
647bba3502b7a28c3a4ff1a61629cab4

SHA1
8ebd2c925eca909cf3a4a415f3b13c4e4aa8ebc8

SHA256
f7f2b8dfb647ed2d11d670bc71d8da5e923ef232e82f61e9cc4a69ed96efb456

SHA512
850df7cece7fa69018e6d06d9415325030d1a30114724b6883ccf6e8f5ae60b76677a46beef57514c175248490d93055f42615c0967822844170aa175d005a89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4f3614839a474220d452b0a65388588

SHA1
b63d51f82766e92186eda1d956ebb69aeebea108

SHA256
e4b50a98c12f22f34ecbaf9fe909d128f46f1f2f58736507b4e2c12162129530

SHA512
9e90d04eebef4059a1b8a2cfe91c6fd986d09534207b68441c36a57d4ef9e16e18d5f41017819a4f1174fcc323fc3321dda8766f784509812de5d42ccb576199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da5b5df7ec1f38c516adc49c63b1e5b5

SHA1
a632ec9df8e7798c648fa38eb045f8d493606604

SHA256
78e7153e1cf483adf56b9e27789960c50088e97bedf8cc96fb78e9d647e4e9a7

SHA512
9af490d475cfa65e201d962e5b291c15044edc5e056a693b899ddbec0ab7b67f1be4d391317ef175cda428cdda8e4c135f182d351d850f4034b79595d471c569

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
859d071c966f0375cfb362548a3fe597

SHA1
3df720dc7712dfede0ed4a406d7f4e0de5a0389b

SHA256
3d6734a274dafe52aceb54b0e5c7a056df2950f3c81cc81912479f531e3aba58

SHA512
fb0fb43073a3b9b7c603f9933ae6030ddaa046ea1310630e2c1bd942e60e04ff563f1a09537d8106eb3a532ddf310574ae27754c2ae8057f3b206068aa27040e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a8fc789a0f9c60994349fa500e4d136

SHA1
20f2a0ea59e89e7fc9be5685b063f4d3a7ba9d04

SHA256
e781807e5f07e1fe964d0b69a98c29f17fe2103b5ea7a2c08fc9ec8a9d1c7cdc

SHA512
bf75085f4b21554feb9f63991014c8abf0cb8882f4f3c61a8aab04dadb61cf34621e37407fae469d818107554a8544791960b4e16723e5d6c95fe23bcf365eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c678efb7c1a20926eb2fcde5a709db2

SHA1
83f81778b2246db269ef4529cfa6394ec528eaec

SHA256
25156a3ce037dd8cdc5a67a41ba2d97862574824700673df424b0fff1d1d32a2

SHA512
7fcaa1a853ca239f71c03710b273d164be8f38f7cc972f5f2f75c619b0d31206141c1d3a510b51466aea5071610bddaa42fa288c5c5fd735c1f58b6e3a831e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F53.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F75.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1204-4-0x0000000004100000-0x0000000004179000-memory.dmp

Filesize
484KB

Download
memory/1204-7-0x0000000004100000-0x0000000004179000-memory.dmp

Filesize
484KB

Download
memory/1204-6-0x0000000002E70000-0x0000000002E73000-memory.dmp

Filesize
12KB

Download
memory/1204-152-0x0000000004100000-0x0000000004179000-memory.dmp

Filesize
484KB

Download
memory/1204-3-0x0000000002E70000-0x0000000002E73000-memory.dmp

Filesize
12KB

Download
memory/2964-401-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download
memory/2964-402-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download
memory/2964-0-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download
memory/2964-78-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download
memory/2964-657-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download
memory/2964-662-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download
memory/2964-673-0x0000000000350000-0x0000000000452000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing