36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c

General

Target

36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Size

536KB
MD5

f12f0c279d3f0748884c47afa77177f9
SHA1

0f25d6bfcb6a236bdae7fb2ff3de14c2879c82bc
SHA256

36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c
SHA512

6ee6a35773a090cde289c81b235e3d32244520428e1fb6a650dd44f2ddd7d1c7b24ffc2337bf0607944d6f11fca949940ea5f41aebb8afd2f6853b03a8215add
SSDEEP

12288:Ohf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:OdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/908-0-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/908-13-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/908-24-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/908-25-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/908-28-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/908-40-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/908-64-0x00000000009D0000-0x0000000000AD2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\f8b98	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Token: SeTcbPrivilege	908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Token: SeDebugPrivilege	908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
Token: SeDebugPrivilege	3492	Explorer.EXE
Token: SeTcbPrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3492	908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe	54
PID 908 wrote to memory of 3492	908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe	54
PID 908 wrote to memory of 3492	908	36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3492
- C:\Users\Admin\AppData\Local\Temp\36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe
  "C:\Users\Admin\AppData\Local\Temp\36b5597e2b70060842ede614d691d9e96124876896e5f110c4ab614755258b5c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
644b9543129b090d96762a5b22d3a375

SHA1
66553457cfc949885966916288632d5ff123fe66

SHA256
ba7ac18f23565ab7a401f10ad34a62d89b19421c4b309cb918ac224c768fb07b

SHA512
a58db26ca794968cc972bbfc026b0a7dbb6d425ec99dcaf9fede9d432d333030236030bd71374a712a09360f60e6b8f16bad3f145e0381b34657dcbf5a6128e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
43bfb505a22561e271d517dc3df30874

SHA1
081c259c6adac2f2ab606d3050d2e28295aee470

SHA256
db13da2d53774657133b3a45d64dfc113eec29ac4b1c1ad5ba6fc83620bee6c3

SHA512
586bd7147a43b9a73d3f59f4a6986dfce0012a70fdcef08c20bc1b8d81db0b525156d9eab6cfb48820b42b0478b8711edf22235c067ae6ad2c798f3030dd1203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
44a3bb1dff8996e19d1094691599d9fd

SHA1
b4a82bbe4ebfb482966a7d8d41be9741fd38a041

SHA256
cad6f0ea9262af240c49e863a5f3fd3778280089bbe642d1ff46df8b6f2e4ad8

SHA512
9a7635d1ed99645c939132b576a6bc94009e46b772f1989c73ec1fee7c81f081580f3738b3e0c3a993e0c82ae8a87ca9d8377618cf914cd5f5c7aa5d43e7134e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
a3d6f51a191736721b7faf4501e2c88c

SHA1
83f00fac0fb09946af51b2cd9325470018ebd0ac

SHA256
b41328067b75a3f72d94b7bc7a2e36d62f58308eea472728baf3da741555f3d1

SHA512
d158459150ece7ec042205360f735d414615f28474d8e67b2624291faf1299804dd87da4d028416b17e1158a735bb0f2e65e6c4f6cc6c4fcd17012b9fdeff55d

Download Submit
memory/908-25-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/908-13-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/908-24-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/908-0-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/908-28-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/908-40-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/908-64-0x00000000009D0000-0x0000000000AD2000-memory.dmp

Filesize
1.0MB

Download
memory/3492-15-0x0000000002AF0000-0x0000000002B69000-memory.dmp

Filesize
484KB

Download
memory/3492-6-0x0000000002AF0000-0x0000000002B69000-memory.dmp

Filesize
484KB

Download
memory/3492-3-0x0000000002640000-0x0000000002643000-memory.dmp

Filesize
12KB

Download
memory/3492-5-0x0000000002640000-0x0000000002643000-memory.dmp

Filesize
12KB

Download
memory/3492-4-0x0000000002AF0000-0x0000000002B69000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing