281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10

General

Target

281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
Size

536KB
MD5

349af8d06a4e87ad259aae3398d86302
SHA1

facae6e28fb5655a33fefb261603c55ed8a282d9
SHA256

281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10
SHA512

4e6330705012549cc8295b6e680175bbd97fb94d441c36ae8d6e7199414bc990c3c957694a5acb71e14cb7ef29c2870e536974353e3a88c5d8f83d97f43eb5e9
SSDEEP

12288:Ghf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:GdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000170000-0x0000000000272000-memory.dmp	upx
behavioral2/memory/4916-14-0x0000000000170000-0x0000000000272000-memory.dmp	upx
behavioral2/memory/4916-25-0x0000000000170000-0x0000000000272000-memory.dmp	upx
behavioral2/memory/4916-26-0x0000000000170000-0x0000000000272000-memory.dmp	upx
behavioral2/memory/4916-30-0x0000000000170000-0x0000000000272000-memory.dmp	upx
behavioral2/memory/4916-42-0x0000000000170000-0x0000000000272000-memory.dmp	upx
behavioral2/memory/4916-66-0x0000000000170000-0x0000000000272000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5429e8	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
Token: SeTcbPrivilege	4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
Token: SeDebugPrivilege	4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
Token: SeDebugPrivilege	3516	Explorer.EXE
Token: SeTcbPrivilege	3516	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3516	4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe	53
PID 4916 wrote to memory of 3516	4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe	53
PID 4916 wrote to memory of 3516	4916	281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
- C:\Users\Admin\AppData\Local\Temp\281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe
  "C:\Users\Admin\AppData\Local\Temp\281110f9aeeaa54aaf78ecb0691e57526c2b6a1baef51436a9c1c6ca27266d10.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
018abd0a1df3d5cf6fa7913b1eb1d053

SHA1
9b2dcacc201a7ee3c07f86f7bfb320ef56b424a7

SHA256
33de216a1bec10315b28166eceaeadd8cd34dfa711ad4eb8f2d132a38ceccd61

SHA512
5a59881448875dc87816441c1e8841af5090bdbfafe0dbb0f07f50b9cb07ea0bc816083b1bf2270e7cb45c26effa2f2e12f27bc8f3aecd47991a2f87faa4a7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
623dc39dcd64d6f8c6c176ccb4610262

SHA1
6819a3885a3243817815381bb02bb10b2a4cd741

SHA256
24744c0e9ced89f28124c2918715be6499efab84388852d3c04874037341396c

SHA512
9cb18c9f198adcda7754dc6094e18ec6d83f149226529b0a9c0f12c3f9a0369e0629fadc13e0f03e5195072647f079e5f4d78e28bea739703572f00201d8ab05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
23dec71a97139773ed086c0326fbbefc

SHA1
55dab04f05c3a3cc1911dcc7948a2b925a5b74af

SHA256
0243c318667263703da505b75c738ecff23df170dd62900ac8d1c9973a16bec8

SHA512
70ab93903ea78426a3d573edb9b668a4aff73943b3e28561edd66e82b0c9a46ecb285776f9248a1f07f0d17baefb9df2d957cd240b815b3968bf65e87b35281a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
76115a0b5dc2719f8c703c639a49e1db

SHA1
85ba15a04b8f9acf6874e974fc7104bb38f68c6f

SHA256
9cbe16bb8fbe0889191def92b97171e59b94aa2a46b244ed174fd6fc8855b923

SHA512
5acb2c6ef211cb2d146685963220c531587e97266e7bc115f8369140db97fcf35800ea30f57e63e9f13a2f68bdce123e99e33af470de58f0a0692c0cba3cafab

Download Submit
memory/3516-7-0x0000000002780000-0x00000000027F9000-memory.dmp

Filesize
484KB

Download
memory/3516-16-0x0000000002780000-0x00000000027F9000-memory.dmp

Filesize
484KB

Download
memory/3516-6-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/3516-4-0x0000000002780000-0x00000000027F9000-memory.dmp

Filesize
484KB

Download
memory/3516-3-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/4916-14-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download
memory/4916-0-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download
memory/4916-25-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download
memory/4916-26-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download
memory/4916-30-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download
memory/4916-42-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download
memory/4916-66-0x0000000000170000-0x0000000000272000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing