2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db

General

Target

2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
Size

536KB
MD5

65450eb8482730e5e5add388283c85da
SHA1

fa34e46701dd57813e60ca43ca867c952e477b89
SHA256

2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db
SHA512

fb08d5d48bd400238251680f484583ddfb44803fe4f4249b6b96493bffe478a8173adca3f07ad71b60a75a5cc5336758ae86941bdcb3db3cc6576b3d2de3275a
SSDEEP

12288:Ihf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:IdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2056-0-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2056-14-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2056-25-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2056-26-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2056-31-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2056-43-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2056-67-0x0000000000310000-0x0000000000412000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\233310	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
Token: SeTcbPrivilege	2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
Token: SeDebugPrivilege	2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
Token: SeDebugPrivilege	3492	Explorer.EXE
Token: SeTcbPrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3492	2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe	47
PID 2056 wrote to memory of 3492	2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe	47
PID 2056 wrote to memory of 3492	2056	2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe	47

C:\Users\Admin\AppData\Local\Temp\2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe
"C:\Users\Admin\AppData\Local\Temp\2ec8bbb23334ede0c92a9126891675ef0d4e7d8af4603cbdf9cf0929eebe09db.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
062d24467ddb7af59ee5ac8420226e28

SHA1
5cb616dd55451d103cd642056fab3f833efb985f

SHA256
7e06fad1e5865e9c0bee13bc2d43e1307e8040fe0973f45ebf3bdfb9bd26cf06

SHA512
d7c7c373f61d0b68cb97a7a12c06af9672f12f7a13ade5521a49bfc869a07e309abc594bb1c8b5a17ced3742aa2f49be79873f0818168af60af53710672be7df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
71e85c5ca03aa621e128b5524fb52ea5

SHA1
55a6bf7c484b8c0fde3b78dfed9234da659d56dc

SHA256
e045c2ffa341e838d27f9f87358246276dad0d13be94c670f552f56f7d72e362

SHA512
f4d62dea814d4cfe6e5a9ac9dea29b83958895a58131a5daeb474349996a744819c6046517a1393d3fb2bc736af582a023bf015d217695c3785bcd81ef13e645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
b0913321982471dd3175b55ccaf8dd77

SHA1
83f98b9ffb094029464a7e5371b3b0c5ce097107

SHA256
17c208a1cdb30f4aff2bfb04a9198d04be21aa795856f4e2e320766edac8ec65

SHA512
0ba40099b95e78287b75f8728735bcfb405e6180cbcd1f56dc863bc4b9b4f0c628595aaf600cda5974b06710ab8143c5cb4b3f339bfdbb1e42055259bca646b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
0f36cd5333d2a38513bc7f24580a275a

SHA1
cfa22248d95251b2d572870302ad21d1e186300e

SHA256
08194a5e4f7661d5b8c148495ebec93278e5a2de12ff942c8c0ad69a47108715

SHA512
bf9d801b770410a0235fc697bb9a01e1bf63c881bb6b52274a73c57b1177cdb5cb0142557dc72e3a80f825f8620b641a332606679428d0e41f8e5af3b625d490

Download Submit
C:\Windows\233310

Filesize
4KB

MD5
d3aeaf8cc5e1e14d143a752c87cf4761

SHA1
682c6834e8c2672ef52f7fa1ee0a425ef37b7338

SHA256
0c716feeed8f07512a57e8bb4dcd285cd14214badaf4bf62ec6ba0a03041678a

SHA512
8c221b54287a8ca2fade37fe412e218d8da36d1220905485437c7d7b46be1c563d33f6ec458ca5f95e5280648df5de3a718b84297febf38443bbfc34d70af9c2

Download Submit
memory/2056-26-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2056-14-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2056-25-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2056-0-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2056-31-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2056-43-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2056-67-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/3492-16-0x0000000002620000-0x0000000002699000-memory.dmp

Filesize
484KB

Download
memory/3492-3-0x00000000024A0000-0x00000000024A3000-memory.dmp

Filesize
12KB

Download
memory/3492-4-0x00000000024A0000-0x00000000024A3000-memory.dmp

Filesize
12KB

Download
memory/3492-7-0x0000000002620000-0x0000000002699000-memory.dmp

Filesize
484KB

Download
memory/3492-5-0x0000000002620000-0x0000000002699000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing