dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612

General

Target

dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
Size

536KB
MD5

986290b0771abb299765c0da437790ca
SHA1

6ceb34fa62bbfdbfb21b9f3114fae00112eeadfa
SHA256

dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612
SHA512

dad8d4e138f680d44b4a829899d4a1a4ee7d7582b9022beea57c110f75f94c8f6931f010121282b40b4991643e506960d0be0e7be6ab79fd4d9337725f146478
SSDEEP

12288:hhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:hdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2092-0-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/2092-14-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/2092-19-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/2092-28-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/2092-31-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/2092-36-0x0000000000940000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/2092-48-0x0000000000940000-0x0000000000A42000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\23d0d8	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
3356	Explorer.EXE
3356	Explorer.EXE
3356	Explorer.EXE
3356	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
Token: SeTcbPrivilege	2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
Token: SeDebugPrivilege	2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
Token: SeDebugPrivilege	3356	Explorer.EXE
Token: SeTcbPrivilege	3356	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3356	2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe	45
PID 2092 wrote to memory of 3356	2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe	45
PID 2092 wrote to memory of 3356	2092	dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
- C:\Users\Admin\AppData\Local\Temp\dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe
  "C:\Users\Admin\AppData\Local\Temp\dc4fe61d1c56b8f35e91eff658212759cfc1e564de41552ae90f19ec4b24c612.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
546ffcad0416c555276c939c26529c14

SHA1
c3bae4c4ab20d1f6a521561ef4ddb2f2ed938998

SHA256
6776f85d82b590deaa225251eefdcd4576fb84b1c2156b93a60f4d8cc06ee070

SHA512
a69e2d363919e14cd42d54fed99b6b32bf567175df51e0bd1684d0f621900997e2c27d3c358966509156d3ac431b4518abe3aba63876fedbd6c6a0802c5d8c04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
50372dfd916eac49d19c351e79ac8d89

SHA1
9b2ed9743315bb1b480b796e523baac85001c024

SHA256
62007f4bdbc7bc3b6f2ddc409acd6f6d7d53d5d65fcce11e86ff484e2f9c803c

SHA512
395bc731018835e9c68b493de20b7380427ac3ec59f1f8f20400f757d475080ea03f042b6b4f3825205c3f62a3595a2201bcc0b4cdb704cb31397ed0d2b133d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
05f7a7036f23fb7b2cbe116373f5ab4c

SHA1
9a1c543a3057d84d65bceffc5630a4f0bf0c05fd

SHA256
119fb313047493629dcf6fb5c495d7d7fb17048ef7234f20d1c8d64c0c98fab1

SHA512
fdab04c5015537c9c3e1755e0a3cde4bed9794418cf389d523fbc677d66ea7039dedcad0750dbec9be21346556e590d664904dbe36ed08c59238de1bcff842d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
3522927ab39cb044cfaf25c1627c8eaa

SHA1
e3a064bfcfa7b398abb7cabf8030f812f3daf0c5

SHA256
35678ee0d9384a6155ed18348abe2fda7354f82953f5fc7b847457797ab7f93b

SHA512
74a8b82b1327164014978a2bed4a20c992b26700b07f52931e10d5b541a514ed58bf706a64563d8a01ca5c53756d6e8a2524243a8aafdbf8310ec394d267e47a

Download Submit
memory/2092-28-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/2092-14-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/2092-19-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/2092-0-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/2092-31-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/2092-36-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/2092-48-0x0000000000940000-0x0000000000A42000-memory.dmp

Filesize
1.0MB

Download
memory/3356-16-0x0000000002980000-0x00000000029F9000-memory.dmp

Filesize
484KB

Download
memory/3356-7-0x0000000002980000-0x00000000029F9000-memory.dmp

Filesize
484KB

Download
memory/3356-4-0x0000000000910000-0x0000000000913000-memory.dmp

Filesize
12KB

Download
memory/3356-5-0x0000000002980000-0x00000000029F9000-memory.dmp

Filesize
484KB

Download
memory/3356-3-0x0000000000910000-0x0000000000913000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing