2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399

General

Target

2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
Size

536KB
MD5

8b66b6ba378253a377b4897967754197
SHA1

3937a558ebcc0e49ef0e270956ac521f92ba27e4
SHA256

2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399
SHA512

4dd498166368f37f491e9eb02dcf66de31c8e56a5818bc01bd03416c38c4e479b1085454d538953743983b39fd0b66853d267ad0ba17de3cf893e561e90605ca
SSDEEP

12288:Shf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:SdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2540-0-0x0000000000B10000-0x0000000000C12000-memory.dmp	upx
behavioral1/memory/2540-195-0x0000000000B10000-0x0000000000C12000-memory.dmp	upx
behavioral1/memory/2540-357-0x0000000000B10000-0x0000000000C12000-memory.dmp	upx
behavioral1/memory/2540-473-0x0000000000B10000-0x0000000000C12000-memory.dmp	upx
behavioral1/memory/2540-729-0x0000000000B10000-0x0000000000C12000-memory.dmp	upx
behavioral1/memory/2540-734-0x0000000000B10000-0x0000000000C12000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2b7c58	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
Token: SeTcbPrivilege	2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
Token: SeDebugPrivilege	2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
Token: SeDebugPrivilege	1196	Explorer.EXE
Token: SeTcbPrivilege	1196	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1196	2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe	7
PID 2540 wrote to memory of 1196	2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe	7
PID 2540 wrote to memory of 1196	2540	2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe	7

C:\Users\Admin\AppData\Local\Temp\2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe
"C:\Users\Admin\AppData\Local\Temp\2f92a7dc2f0485ea8d456a9e8485e6dbbe7e09da7d902575be81a742f1a9a399.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e93390c5f5e1475ec94ae80f242b0585

SHA1
88b8d8db012f7f9985e57c64a810eb3a1db5fcc9

SHA256
1e3df3578fb22646b2d402e0263a372bd133701d7c3e29a796c1545f75fbd2d8

SHA512
f6c90560e13b598f0f4e02bfeb73f7551c7e164ead088cc6751dcd269ab9a279e608d92b539f825233ddb3b93993141f9327d671234f45bd4abe4928057461bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7397d06e2a3cc3a439b4b8647f2b54d7

SHA1
ea9c9331ef16559571637e6b87da43053f7a4643

SHA256
20c0200d4225d8205a427822f912d3216387389311b158e2efe48f7d0206003c

SHA512
3b446ffa29f8edc8d2dae051c8ba009ef01db94394763fee31c9818c44737f32c48416aa732192f4c326378a54077e0c682e78f58b71e87cde26e06c8dd76317

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6acffa55e3f101d1da02fa6b32626246

SHA1
7601f2413d0d37b7d41ec5fcd026f26eb10ad8e4

SHA256
1aacef53d6efc6d392a9a532a15cacf8e90512b685f92061fd7e64a96415d29f

SHA512
86bd5d6355febb880a30b8400ac5eb5ec9d375b7c594ae35bb50cf4b7fb3cb6d94a1fd3b1a2c90e93b60b3c8dba14d29c686deb338e95a91977238edd9134739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc0c5d790d9724d1e22fa2607953603b

SHA1
9637b3a3b7a4348f95d3cb8c63535ffff52642e7

SHA256
ac9cc879f12ea144c0641e225773fb4486afe2de4fe2c4ea68866b9da541e36e

SHA512
b93160ee94beaf36890803b2336aec0f853e709dcde1d13ac9b6e182ee72b9ea60e8c679d1085f964e3ebffe18bc60f771951b542918d0e3ea189aa559056c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b87f15a2f2dab04ec681453b9de464d4

SHA1
e0ca1b5a04e7c3a5f95fbea7873fe22ecc7f4df7

SHA256
7ecb82a12d4ad8881044e578ac6c0bf2f3b80e717a11519915fd04e24b3c9b61

SHA512
ab58e4b4d7088aa07fc60ce8af2853ff7d466f386d1ccc4df00efea418eefc570fb10b08124aec19fd237b2fd7d0ca73602c622d48098718521bfb3748ac5f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb3b3275a3e79b61483900ae252f4481

SHA1
ef1eec7f41d02b8a789d1fa5d224b82e72fc1e8b

SHA256
f54fbf398fc0127fb0c2b09c31f1aa482f6f5d1fec6e41f91e83541375184ebd

SHA512
63729c0f87826859071981f65d1dc75ac89539abc35e84fc19e241291f550b9a2755f3d95963412481ae8e665d78cb6041c7b4233e29adbf1de70b1a816cd852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F58.tmp

Filesize
59KB

MD5
ea2b07bb4134b45a339a469915e5f92b

SHA1
a5bc65250652d9af9461526aeb43cc05e31b8f16

SHA256
02d6b4df41e54711ef516892fbac4cf5effbb52fc9c210b962989f2f6d2b123c

SHA512
84c7c4e56d023f5c8d48396b6cc5fcd2a9efcdeb25b80110d53398bf58eed63d28b0c3ab8fc3fc2265be4705a6dabbfc90f74481c0283bf45c0ffea80a7a3ba8

Download Submit
memory/1196-224-0x00000000046C0000-0x0000000004739000-memory.dmp

Filesize
484KB

Download
memory/1196-4-0x0000000003040000-0x0000000003043000-memory.dmp

Filesize
12KB

Download
memory/1196-5-0x00000000046C0000-0x0000000004739000-memory.dmp

Filesize
484KB

Download
memory/1196-7-0x00000000046C0000-0x0000000004739000-memory.dmp

Filesize
484KB

Download
memory/1196-3-0x0000000003040000-0x0000000003043000-memory.dmp

Filesize
12KB

Download
memory/2540-357-0x0000000000B10000-0x0000000000C12000-memory.dmp

Filesize
1.0MB

Download
memory/2540-0-0x0000000000B10000-0x0000000000C12000-memory.dmp

Filesize
1.0MB

Download
memory/2540-473-0x0000000000B10000-0x0000000000C12000-memory.dmp

Filesize
1.0MB

Download
memory/2540-195-0x0000000000B10000-0x0000000000C12000-memory.dmp

Filesize
1.0MB

Download
memory/2540-729-0x0000000000B10000-0x0000000000C12000-memory.dmp

Filesize
1.0MB

Download
memory/2540-734-0x0000000000B10000-0x0000000000C12000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing