cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe

General

Target

cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
Size

536KB
MD5

783ae7186b8a57ab5fc50db3b5a05777
SHA1

9e9d111b16b824f5627020e52e685d3fbe1483ed
SHA256

cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe
SHA512

4575a4e0e2331d4837dbde9dd1e79c27aed2b92e0fd89dc6971f989a6abfef62e762e2f0a4020c80a7cb5bbe95b8c96f9eae91ee613148cd6c700b7325a63adc
SSDEEP

12288:/hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:/dQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2524-0-0x0000000000430000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/2524-14-0x0000000000430000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/2524-25-0x0000000000430000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/2524-26-0x0000000000430000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/2524-29-0x0000000000430000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/2524-46-0x0000000000430000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/2524-63-0x0000000000430000-0x0000000000532000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2b3638	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
Token: SeTcbPrivilege	2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
Token: SeDebugPrivilege	2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
Token: SeDebugPrivilege	3304	Explorer.EXE
Token: SeTcbPrivilege	3304	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3304	2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe	45
PID 2524 wrote to memory of 3304	2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe	45
PID 2524 wrote to memory of 3304	2524	cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe	45

C:\Users\Admin\AppData\Local\Temp\cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe
"C:\Users\Admin\AppData\Local\Temp\cfe91a264e83dee338744d9682a528326acaa539c925d30012e239e16d1471fe.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
c723ee6856557f0bfd1cc5e67b553d05

SHA1
3a78610a0c88153d0f6f5b78640a6e6be4c00090

SHA256
965a8fe70760f2e36dde21daabe53e847bb56c53a850e6e6cb37238cc9963281

SHA512
2693cc09b2d3a63ff4ed2fb331a1e871e33317959da68b2e095ec986670f5aaba620d44be5e5d79c7471e8c642410ec7f3259452898dd4a4b2cc5e556d2f1bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
8fae162548fda49d1fd8a343356c191e

SHA1
0a85f178464e461e566d827985974d379e434d15

SHA256
2195f0b4a24a2ab39c72931875473d38cdc1d6d33eb9257072eea8c5052647d3

SHA512
fbbe6dc04f4b583bcf441b160138ddeee81112864e784cdeb79256e1377f30732d58b2e450156899b02e35018a4a2075d8edce451fc3b3894aab77a336b06a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
fced62cfa66c172d2fe34b83fa029855

SHA1
35d54100bdc40b55b2a48a20519918fa7dc1e92c

SHA256
3794d35c1cb4d1d8601b73bfaa262b951f101269a3e9dd9efad071d30d556083

SHA512
476920c8bac57f181451e926070bbf2360f75dc94c3abef477e1382f0dc1d21db1dad3051677126503ee92d9f3e390d827822097247e88161f43c16f67196254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
803335d3a97376e96c270f7c21370b46

SHA1
aa20af22c9e7cb5c9bd54060ccbf861ceec981b4

SHA256
f3469f7d8febf5be43bb5cea6233e6bcf470b8bd825c8c9772ac9e4a86e6fb63

SHA512
52bcc1cbfd99a79388a6d3b9f715b5c2b65d4195f6aa84e2497f20b6ef52995d52e77c19c554e86563f3626a19fb63fb39aa0b37f1b2964935bdfb633a564558

Download Submit
memory/2524-25-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/2524-14-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/2524-0-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/2524-26-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/2524-29-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/2524-46-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/2524-63-0x0000000000430000-0x0000000000532000-memory.dmp

Filesize
1.0MB

Download
memory/3304-3-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/3304-16-0x00000000027E0000-0x0000000002859000-memory.dmp

Filesize
484KB

Download
memory/3304-4-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/3304-6-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/3304-7-0x00000000027E0000-0x0000000002859000-memory.dmp

Filesize
484KB

Download
memory/3304-5-0x00000000027E0000-0x0000000002859000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing