e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Size

536KB
MD5

f6bb7b2e7b77179851ac16cc5e49f54b
SHA1

596871a123581766b74a5e71587ec936f6dcdc8d
SHA256

e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb
SHA512

e35b97563ab00f368f2751e24a28c3146dfd275e528ef22374e91c3ec0c79d938f9e95431eb37135574a0825969d3171ce63fe6319a94169d1823c2d7c860f3e
SSDEEP

12288:Ahf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:AdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000C10000-0x0000000000D12000-memory.dmp	upx
behavioral1/memory/1680-92-0x0000000000C10000-0x0000000000D12000-memory.dmp	upx
behavioral1/memory/1680-547-0x0000000000C10000-0x0000000000D12000-memory.dmp	upx
behavioral1/memory/1680-801-0x0000000000C10000-0x0000000000D12000-memory.dmp	upx
behavioral1/memory/1680-804-0x0000000000C10000-0x0000000000D12000-memory.dmp	upx
behavioral1/memory/1680-818-0x0000000000C10000-0x0000000000D12000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1cc320	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Token: SeTcbPrivilege	1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Token: SeDebugPrivilege	1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeTcbPrivilege	1212	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1212	1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe	7
PID 1680 wrote to memory of 1212	1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe	7
PID 1680 wrote to memory of 1212	1680	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe	7

C:\Users\Admin\AppData\Local\Temp\e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
"C:\Users\Admin\AppData\Local\Temp\e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
81e3b4f4b89d2e6c942ea78a7fc67501

SHA1
2c59f02d33796fda4baef28f24d72a16f7346215

SHA256
b6aeaaa2eaa9da41ab91acfa69d2517ad17b3cf2f4ccef780a88e11d1b5bff52

SHA512
e9e6849d2b2db1c6218da82104fd9aaa2bd9436362e835f64e857c3b9481dc041d9966b9d914fde2cbe82dd97aa0373d7f358b3edb6b46cc8bbc2e22111e9626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3ab146ad44461b5195afc3dab007ac1e

SHA1
fe91d2a2a21c456741efb01b520f12e66729fd7b

SHA256
375e1c74238554df39a26c19f4a913b30b112c16ef921fc68bae82d259e481d6

SHA512
61295b11dffe8bbad3b051ac7377b3913c848e9201050dfa3da8f46251cbfb94730ee6c3d6e9b06826a71b3b540d47ee2f353b2208843ca0dc53503b0ea62d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f73890b9d70efd7406f083d8533a2d36

SHA1
12a47be1c271fca8158b148d1c076687d78372a0

SHA256
9d03190bc528f4273e931ce1a57ae8a65302dae299974703a382de5f143e740f

SHA512
1d0355a787569d7ac7a56bc4dfc6bf740e689b02d25d59bdea0d2bf3937d162afc0165d70afc8ca2f747545668e3a5359721a5ac7f9e20e795baae509bf22db5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
89a0fbb0e1e6b5ee69edbe0c314b718c

SHA1
e94e90ea4a1c94472c8b2a999211d44b6fd29e76

SHA256
1de3ba88e9647675cb8ec67ce9e613e607392a05144592e1722c3e94613015e7

SHA512
aaf7e33d95322e67bf9f9271fd20faec08936064af8b01ebf0e0f2b75e0cbb377006195683a72aee2fdcbfd2e9d9760ba8568daea8a47c42df017cf8d96f955b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f93df295b8bf410f94ab2201b31d6282

SHA1
7f1d99bf904bb1545fe8f3e5beb53300527f1028

SHA256
7eb0a46df9e6b3b9c568f11963b5e0395ce1687f1686e8f12e2694c203159a16

SHA512
30eb0c2b8c5d45039c62198594867fa7760cadc3582676cdec03776ff7139a88e18f60d5df562926ec580242149fc757593834d262a17b986d8966c5b23e225d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
015fac7364c50214ba2c14177db89945

SHA1
84960c5ad327bfb3e95df815829241a8d85d70f5

SHA256
ebb8c652d6bad9c488ab9404f7d33013b7cfde8ea692a6b173554574d793fa14

SHA512
9a71fe5a6037c8b7ed6303fba73ceab0e2b67224db2e5283542251c2d742238bc2f2d7b1338e6f4f0bca351bd5fa2c17b05094d7a4eced8b49ff6cb41bc017f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2ACD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1212-4-0x0000000002E00000-0x0000000002E03000-memory.dmp

Filesize
12KB

Download
memory/1212-238-0x0000000003D50000-0x0000000003DC9000-memory.dmp

Filesize
484KB

Download
memory/1212-7-0x0000000003D50000-0x0000000003DC9000-memory.dmp

Filesize
484KB

Download
memory/1212-5-0x0000000003D50000-0x0000000003DC9000-memory.dmp

Filesize
484KB

Download
memory/1212-3-0x0000000002E00000-0x0000000002E03000-memory.dmp

Filesize
12KB

Download
memory/1680-92-0x0000000000C10000-0x0000000000D12000-memory.dmp

Filesize
1.0MB

Download
memory/1680-0-0x0000000000C10000-0x0000000000D12000-memory.dmp

Filesize
1.0MB

Download
memory/1680-547-0x0000000000C10000-0x0000000000D12000-memory.dmp

Filesize
1.0MB

Download
memory/1680-801-0x0000000000C10000-0x0000000000D12000-memory.dmp

Filesize
1.0MB

Download
memory/1680-804-0x0000000000C10000-0x0000000000D12000-memory.dmp

Filesize
1.0MB

Download
memory/1680-818-0x0000000000C10000-0x0000000000D12000-memory.dmp

Filesize
1.0MB

Download