e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb

General

Target

e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Size

536KB
MD5

f6bb7b2e7b77179851ac16cc5e49f54b
SHA1

596871a123581766b74a5e71587ec936f6dcdc8d
SHA256

e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb
SHA512

e35b97563ab00f368f2751e24a28c3146dfd275e528ef22374e91c3ec0c79d938f9e95431eb37135574a0825969d3171ce63fe6319a94169d1823c2d7c860f3e
SSDEEP

12288:Ahf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:AdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4344-0-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-5-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-25-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-26-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-27-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-32-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-42-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx
behavioral2/memory/4344-68-0x0000000000D70000-0x0000000000E72000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4a5ef0	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Token: SeTcbPrivilege	4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Token: SeDebugPrivilege	4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
Token: SeDebugPrivilege	3516	Explorer.EXE
Token: SeTcbPrivilege	3516	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3516	4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe	50
PID 4344 wrote to memory of 3516	4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe	50
PID 4344 wrote to memory of 3516	4344	e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
- C:\Users\Admin\AppData\Local\Temp\e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe
  "C:\Users\Admin\AppData\Local\Temp\e6f1fc4ae34571930ca935482cdf0784967a5c952ef07f2abeaa45bef8a75aeb.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
0ec7d1e77dc10480985b1e9cf3e0bdec

SHA1
a1a0b93250339079263019f5cc4a5b9be012a2f9

SHA256
dd2498ae05e4c5edc35fd82a88a05362e4aab0f7115318facbb98d03b85b5b84

SHA512
6c2c9661ea0d48612cf2f834719e4609a6a63a1d9b277b572e7f4358f1b565408d4804830ef755c200764d58366b941a36cf29c09adcd1e6313d1a7e8a6c5d4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
623dc39dcd64d6f8c6c176ccb4610262

SHA1
6819a3885a3243817815381bb02bb10b2a4cd741

SHA256
24744c0e9ced89f28124c2918715be6499efab84388852d3c04874037341396c

SHA512
9cb18c9f198adcda7754dc6094e18ec6d83f149226529b0a9c0f12c3f9a0369e0629fadc13e0f03e5195072647f079e5f4d78e28bea739703572f00201d8ab05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
c534d506b1650b5f89c168712f9bb12f

SHA1
a39e1a9c11e7c0e8bc2cfeaaa207a5e58f475820

SHA256
46aec8c46afb5c1ef7da61c6e1d10f04d7692f0a02a799926a8027e53b924804

SHA512
15e53d14394fb64122b90a7d3c73b93e7af5774f496c198ae9162116fd464c83ae3a93b66c4b2a1ccd5d91edde685acd247894ac4c8a1410b24042d9545c1648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
8a48d0fb3b4db9abae1fafd30a787060

SHA1
ffd1720bc5c8ba582072695684c5254db91128f5

SHA256
3457ba5f8593e996058485cc5aa29ea1b87e23075ff6d7602c3c29a02d08bc6e

SHA512
e2aace2f80e30512cbd34514b19cc5bc4971142f345d32438516c955acb607db5ed934676b5f68121db87eeb523e82d2e30bb52c04a523da179c93d5ccb1699f

Download Submit
memory/3516-6-0x00000000026F0000-0x00000000026F3000-memory.dmp

Filesize
12KB

Download
memory/3516-7-0x00000000030D0000-0x0000000003149000-memory.dmp

Filesize
484KB

Download
memory/3516-16-0x00000000030D0000-0x0000000003149000-memory.dmp

Filesize
484KB

Download
memory/3516-4-0x00000000030D0000-0x0000000003149000-memory.dmp

Filesize
484KB

Download
memory/3516-3-0x00000000026F0000-0x00000000026F3000-memory.dmp

Filesize
12KB

Download
memory/4344-0-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-5-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-25-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-26-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-27-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-32-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-42-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download
memory/4344-68-0x0000000000D70000-0x0000000000E72000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing