3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c

General

Target

3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Size

536KB
MD5

5018f24dffd1d9986f3aa8134e356951
SHA1

6d24c47f382703cfd0848b5258c0d4c91820e870
SHA256

3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c
SHA512

c4541a1b9b74b7f5914216ee108026f953fadde625a5ef57d6f4c4b47ee0d5bc51d979c5771c72d6bde85e6fd0b056ec0994e2be6b275e37a93636700bf6fa1b
SSDEEP

12288:vhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:vdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4160-0-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/4160-14-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/4160-25-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/4160-29-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/4160-41-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/4160-65-0x0000000000F60000-0x0000000001062000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\473880	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Token: SeTcbPrivilege	4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Token: SeDebugPrivilege	4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
Token: SeDebugPrivilege	3512	Explorer.EXE
Token: SeTcbPrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3512	4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe	44
PID 4160 wrote to memory of 3512	4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe	44
PID 4160 wrote to memory of 3512	4160	3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3512
- C:\Users\Admin\AppData\Local\Temp\3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe
  "C:\Users\Admin\AppData\Local\Temp\3028b4e2d8b1c4005fc4bff6bf180ca4234a962283c604e86e6a6d462155180c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
018abd0a1df3d5cf6fa7913b1eb1d053

SHA1
9b2dcacc201a7ee3c07f86f7bfb320ef56b424a7

SHA256
33de216a1bec10315b28166eceaeadd8cd34dfa711ad4eb8f2d132a38ceccd61

SHA512
5a59881448875dc87816441c1e8841af5090bdbfafe0dbb0f07f50b9cb07ea0bc816083b1bf2270e7cb45c26effa2f2e12f27bc8f3aecd47991a2f87faa4a7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
623dc39dcd64d6f8c6c176ccb4610262

SHA1
6819a3885a3243817815381bb02bb10b2a4cd741

SHA256
24744c0e9ced89f28124c2918715be6499efab84388852d3c04874037341396c

SHA512
9cb18c9f198adcda7754dc6094e18ec6d83f149226529b0a9c0f12c3f9a0369e0629fadc13e0f03e5195072647f079e5f4d78e28bea739703572f00201d8ab05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
c829d0ccc969fa97763efe5b7ae66c8a

SHA1
d90b22a7df09d807343a28f92e9b235e7b8b612c

SHA256
c3e42699972c64945707e24ed73f53fd26216623fd7125643af486ed7aaa9d1d

SHA512
6746f4eb379649546b62acfa05b52d4cd988645973512d676dffcccabf83a3516bb5c23732778dc4926f731e2c2e3c8c3c8f80dae8ba067d50bdde64f65187f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
cd65b17c67decd4fa6f2c0711e95965f

SHA1
3e2c47a938b33658695cce367d4b0383a6da3c66

SHA256
9a08d3714885138f73e2ceba73911c47c27b0a9dd8bf594332ffe9f577c402ec

SHA512
7798e23947429f129d556651d13f5bed183d3d5533ee9f51b3b78daa124ea85887175a0633ea5870ef2c39a6f79d8c238aa7f3557e0d3d199460cfc5336439d7

Download Submit
memory/3512-7-0x00000000079E0000-0x0000000007A59000-memory.dmp

Filesize
484KB

Download
memory/3512-16-0x00000000079E0000-0x0000000007A59000-memory.dmp

Filesize
484KB

Download
memory/3512-6-0x0000000003130000-0x0000000003133000-memory.dmp

Filesize
12KB

Download
memory/3512-4-0x00000000079E0000-0x0000000007A59000-memory.dmp

Filesize
484KB

Download
memory/3512-3-0x0000000003130000-0x0000000003133000-memory.dmp

Filesize
12KB

Download
memory/4160-14-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/4160-0-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/4160-25-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/4160-29-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/4160-41-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/4160-65-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing