24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce

General

Target

24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Size

536KB
MD5

3020df3094a278eb6e38a77cf0982022
SHA1

3634784494efd35283aeb226229a40a50bde57c2
SHA256

24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce
SHA512

67b4648335efab53695294e7a8806616bd97322fd419721b51080d01c3cd5e6cfdcd61f688489d4ae82dbec9ea110d94f3cc28e645bf7dbc0e946e2c6d8db748
SSDEEP

12288:ihf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:idQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x00000000009F0000-0x0000000000AF2000-memory.dmp	upx
behavioral1/memory/2332-51-0x00000000009F0000-0x0000000000AF2000-memory.dmp	upx
behavioral1/memory/2332-300-0x00000000009F0000-0x0000000000AF2000-memory.dmp	upx
behavioral1/memory/2332-479-0x00000000009F0000-0x0000000000AF2000-memory.dmp	upx
behavioral1/memory/2332-734-0x00000000009F0000-0x0000000000AF2000-memory.dmp	upx
behavioral1/memory/2332-748-0x00000000009F0000-0x0000000000AF2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\27ecb8	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Token: SeTcbPrivilege	2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Token: SeDebugPrivilege	2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Token: SeDebugPrivilege	1196	Explorer.EXE
Token: SeTcbPrivilege	1196	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1196	2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe	17
PID 2332 wrote to memory of 1196	2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe	17
PID 2332 wrote to memory of 1196	2332	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Users\Admin\AppData\Local\Temp\24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
  "C:\Users\Admin\AppData\Local\Temp\24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99ee03bf4455a7e4be7cb29390529243

SHA1
e47e030ae2be2cd0a96cff2805f85ace592026e2

SHA256
4ea78ed4a49bdec067fbe57437fb15a1a4d1d1757d906b6d5804d6fd1a34b7c0

SHA512
913cb459f6fd478fc4d1dacca9acc991e2808ce2a844918abaaa19fa531239700a0a51d4780754d233b0d4c3e59cb89897033bbe32aa05c4cb554f1baf123944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b436f98987a6d68b14424a65bf0078a

SHA1
8e70e5545777371638d10700115258bc6229fd61

SHA256
00f5630d19878a542435f05aa14be9b92b3101a01e5e8dc0cd25f83cf7797d69

SHA512
0bb6524c2e40da699ae22cb87ada398a84935ac9a3169ecbfa76253ec218d9f2783394abcc4c08370b585fa6bf789da47841f12a9114ece0749439f83722344b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae82b878f86acef2d024c0170ce9b110

SHA1
ceb8a5c47e47048f77c4a9db143793375defdd36

SHA256
9167165f32da078c3e611cf7b342a131d3aab5c69eb25e6ab9f304b20ad9e424

SHA512
91ba721ff5cbccae49c1922b8acbbb6db9e4afa7061ad1734172234435bef0fbd1f91f81c9167f2fb71123c977ec61ae8a613e191285e54a4c6946c4e2aa05fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6290943caf2d81824a93c4832bc88235

SHA1
70c9aa760b17b8bbcb942fe81fb4f683de49bd6d

SHA256
9b2d783ee7a03ca188343fc02f33ebfe786229c525f5d6d1f901e1b339a323b3

SHA512
222988cfa76f2dbd3ba1dfb192cd8b18f513aa29dd98151d05d8e4ebcc7d655ea08523572220149e738ba316780bf4f400f55793e19543562fdeda69a47c3edb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
924015222df8084e68cad092592dc0aa

SHA1
1c549fe1634fe7c4d0df66ef70cc53a223334121

SHA256
6137cac977bc7c33b3ad0fcc7009442a9c6ae7c35ed99edc2f25cbc9b08e8fc4

SHA512
da8bfbd6d1af529b3c2016389a28b306c57093e4895e1f2c026be32514ceb823ed6497542f993da6375957e2db0cf3a1228de0880190b4448e2e1053d877d691

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9DC7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DF9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1196-7-0x0000000002BD0000-0x0000000002C49000-memory.dmp

Filesize
484KB

Download
memory/1196-188-0x0000000002BD0000-0x0000000002C49000-memory.dmp

Filesize
484KB

Download
memory/1196-4-0x0000000002BD0000-0x0000000002C49000-memory.dmp

Filesize
484KB

Download
memory/1196-5-0x00000000021F0000-0x00000000021F3000-memory.dmp

Filesize
12KB

Download
memory/1196-3-0x00000000021F0000-0x00000000021F3000-memory.dmp

Filesize
12KB

Download
memory/2332-51-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download
memory/2332-300-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download
memory/2332-0-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download
memory/2332-479-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download
memory/2332-734-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download
memory/2332-748-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing