3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c

General

Target

3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Size

536KB
MD5

5018f24dffd1d9986f3aa8134e356951
SHA1

6d24c47f382703cfd0848b5258c0d4c91820e870
SHA256

3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c
SHA512

c4541a1b9b74b7f5914216ee108026f953fadde625a5ef57d6f4c4b47ee0d5bc51d979c5771c72d6bde85e6fd0b056ec0994e2be6b275e37a93636700bf6fa1b
SSDEEP

12288:vhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:vdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-0-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx
behavioral1/memory/2520-113-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx
behavioral1/memory/2520-227-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx
behavioral1/memory/2520-299-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx
behavioral1/memory/2520-372-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx
behavioral1/memory/2520-662-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx
behavioral1/memory/2520-667-0x00000000011B0000-0x00000000012B2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2b24b0	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Token: SeTcbPrivilege	2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Token: SeDebugPrivilege	2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Token: SeDebugPrivilege	1216	Explorer.EXE
Token: SeTcbPrivilege	1216	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1216	2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe	16
PID 2520 wrote to memory of 1216	2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe	16
PID 2520 wrote to memory of 1216	2520	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
- C:\Users\Admin\AppData\Local\Temp\3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
  "C:\Users\Admin\AppData\Local\Temp\3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43a9e2cb0d3dc0aea7928cb8cf088c44

SHA1
660910f21b75d8e4e43c58edf29b32ae7d9ec1b8

SHA256
1ae6625986a64a64bc53cf94303af7c9dadb5091512836714e36e28b95d6c265

SHA512
0141728208e65522e1e9aab2071fd4fedb485f0a9e7ba7e547406a649f7bd061ce239e8a0a427185ecd4ea0aa03dc8b2a1a6f1e144382e8bfa321b0a14a90f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d80808566e97413897172a1155cc06f

SHA1
59d102759cc44f124c080588d065c5b513699211

SHA256
dd71743ab64eacef65ee803187734a410eacea4178cc8da1cf5ea14e45dbf0d9

SHA512
d5999048e0371bb10fd75de0aea3f1944c401408b6adc145049f62ead06b5ab9c795c8e7566a53e20264fdf23aeee60434abf356771b37de3480ebf9632e5fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a717eebb85a1e8a1208f1be0a15ef0c

SHA1
fe55aa2f1163aeb6254ecef2ab3243256cdb9912

SHA256
2d65d6418386fffce9246d9c3d1f89729278b5d97bd9edeb38153f7fc1ba7885

SHA512
a6030441b5120a89470f29b694430b0a8dbcd2409a8a7364a03ba1fed5b57cf2047f6597060df29eee0a489fea58c2ff85dde599c1d48f1192df0343d41889a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0639b1d762c9f78f43d3cc16fd3b3eaf

SHA1
bda1b68365a448b7d0907780a00440e1d6428672

SHA256
61669a934601e5bdefbc300696e30cf269b96a0b93fd4b7541caee97ccbc0ced

SHA512
4704dbd935d232fdc95e9497e1451af6c056a5ff36d66d26a7a5ea0073453a25c3d4174fb3968aa30d12ae714fe5f5f4427e7a54adcc6efa0c67771651a4a73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
194615d42fc064940fa2b0f9fc45673f

SHA1
45a78b89b715f8415f685da1bd0032706dd1a5b1

SHA256
5444dbf959c793ad954beca871f881b311fc0e27c65a65be5f6f51455a2a70f4

SHA512
9623efcdb8dd52ce3107424090884f784aa4aa41a4892ad9bf84547103ebb14dd64d4049c668817f90b3c4e4981c051e686304cd5b4994d10f839ca55d53bc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12C8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12DA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1216-151-0x00000000041E0000-0x0000000004259000-memory.dmp

Filesize
484KB

Download
memory/1216-6-0x00000000041E0000-0x0000000004259000-memory.dmp

Filesize
484KB

Download
memory/1216-4-0x00000000041E0000-0x0000000004259000-memory.dmp

Filesize
484KB

Download
memory/1216-5-0x0000000002D70000-0x0000000002D73000-memory.dmp

Filesize
12KB

Download
memory/1216-3-0x0000000002D70000-0x0000000002D73000-memory.dmp

Filesize
12KB

Download
memory/2520-0-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download
memory/2520-113-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download
memory/2520-227-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download
memory/2520-299-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download
memory/2520-372-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download
memory/2520-662-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download
memory/2520-667-0x00000000011B0000-0x00000000012B2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing