f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434

General

Target

f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
Size

536KB
MD5

3465b06a1df295d15586707b6fd2a3cd
SHA1

1eecff22fba4e1bd39da6edcfdfce43936f0db42
SHA256

f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434
SHA512

c3c855990fbc1f6cc93f49a4ea76138b2d36e46f3d717ea8c3cdd6ad0bed8bbe94cde49287da5cf32c94c646f5b496be0f1531fd780f5dbfda0302ac821b39c5
SSDEEP

12288:+hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:+dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2872-0-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/2872-13-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/2872-24-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/2872-25-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/2872-31-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/2872-43-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/2872-67-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\312b70	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
Token: SeTcbPrivilege	2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
Token: SeDebugPrivilege	2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
Token: SeDebugPrivilege	3440	Explorer.EXE
Token: SeTcbPrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3440	2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe	49
PID 2872 wrote to memory of 3440	2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe	49
PID 2872 wrote to memory of 3440	2872	f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe	49

C:\Users\Admin\AppData\Local\Temp\f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe
"C:\Users\Admin\AppData\Local\Temp\f837d80108ea93edabf5ce583151e2de446f08d0a8a0aa21ba04feebf31b4434.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
ed8c407cabf6dda1921f95bfb68410bd

SHA1
68a0e370738b3a9d8c1fe19fd11ed34ffa4e1621

SHA256
62baccc4cd1852af4827ea6da8a220fed5b2d15d9d522fd824be62f4a0dd4ace

SHA512
64c97b87eb4e74b5a78631c9c885be0c32c58f5b5c220641d83c87d0153dfdaf83bc7ddb99b5714a47199ae794c6f3929e94f359483a0161153817df82e0035b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
50372dfd916eac49d19c351e79ac8d89

SHA1
9b2ed9743315bb1b480b796e523baac85001c024

SHA256
62007f4bdbc7bc3b6f2ddc409acd6f6d7d53d5d65fcce11e86ff484e2f9c803c

SHA512
395bc731018835e9c68b493de20b7380427ac3ec59f1f8f20400f757d475080ea03f042b6b4f3825205c3f62a3595a2201bcc0b4cdb704cb31397ed0d2b133d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
e627852ef2bd094f4b589a7c1ea58676

SHA1
523f41652aba238253b94b614031090f13a4b48f

SHA256
d5d01491a1159e75469350642a96d4f5829afdafd231ac506abb228a9dca1589

SHA512
7a439d42a1d8205dee03e7b75aefd59a3d15ba5edba491baa2ab328662031d6ec4a372d79f089be8923416aee24e3626919b26de268d0234b7b4f1ec216df16f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
4b979f71a45eab8cb015f4502ecc33af

SHA1
201ceed5cc23ca7a23c0c3158c1f3119e6b0a42a

SHA256
8479569aba29541c2793550540c2fea476975b6cf6bf4031a640e5316510327a

SHA512
adfecf33c43ab37a2e24b80cfa03a3b49822683981f502c8f583768c15382c247eb76f4a0b705d8d14876d75c60c7350fec629c9938238a3c327012add0656a4

Download Submit
memory/2872-25-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/2872-13-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/2872-24-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/2872-0-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/2872-31-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/2872-43-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/2872-67-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/3440-15-0x0000000003600000-0x0000000003679000-memory.dmp

Filesize
484KB

Download
memory/3440-4-0x0000000003600000-0x0000000003679000-memory.dmp

Filesize
484KB

Download
memory/3440-5-0x00000000032B0000-0x00000000032B3000-memory.dmp

Filesize
12KB

Download
memory/3440-6-0x0000000003600000-0x0000000003679000-memory.dmp

Filesize
484KB

Download
memory/3440-3-0x00000000032B0000-0x00000000032B3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing