24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce

Analysis

max time kernel
0s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 14:17

Target

24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Size

536KB
MD5

3020df3094a278eb6e38a77cf0982022
SHA1

3634784494efd35283aeb226229a40a50bde57c2
SHA256

24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce
SHA512

67b4648335efab53695294e7a8806616bd97322fd419721b51080d01c3cd5e6cfdcd61f688489d4ae82dbec9ea110d94f3cc28e645bf7dbc0e946e2c6d8db748
SSDEEP

12288:ihf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:idQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1608-0-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1b8790	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Token: SeTcbPrivilege	1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Token: SeDebugPrivilege	1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe
Token: SeDebugPrivilege	3540	Explorer.EXE
Token: SeTcbPrivilege	3540	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3540	1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe	47
PID 1608 wrote to memory of 3540	1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe	47
PID 1608 wrote to memory of 3540	1608	24d2d8ca1a6dfc5c2033e60f5bd47e7aba2d18729cd24c58c5ac6d47475784ce.exe	47

memory/1608-0-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/1608-13-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/1608-24-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/1608-25-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/1608-28-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/1608-40-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/1608-64-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/3540-6-0x0000000008050000-0x00000000080C9000-memory.dmp

Filesize
484KB

Download
memory/3540-5-0x0000000007F20000-0x0000000007F23000-memory.dmp

Filesize
12KB

Download
memory/3540-4-0x0000000008050000-0x00000000080C9000-memory.dmp

Filesize
484KB

Download
memory/3540-3-0x0000000007F20000-0x0000000007F23000-memory.dmp

Filesize
12KB

Download
memory/3540-15-0x0000000008050000-0x00000000080C9000-memory.dmp

Filesize
484KB

Download