0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a

General

Target

0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Size

536KB
MD5

7b8a2c98d52ea175b2212d4db4c74b37
SHA1

34e1310a44a9f9d052c7b436ab6c47ac76a931a8
SHA256

0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a
SHA512

f600e9830bbcaea0ec840776774f1f8b0f4f6c268c4abda648665fb27fcff509f0e002492f691059565b707a1d80269df4486bdf53fc67bd82576d873681fb11
SSDEEP

12288:6hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:6dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral1/memory/3032-15-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral1/memory/3032-345-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral1/memory/3032-479-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral1/memory/3032-736-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx
behavioral1/memory/3032-750-0x0000000000FB0000-0x00000000010B2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\33e8b0	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Token: SeTcbPrivilege	3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Token: SeDebugPrivilege	3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Token: SeDebugPrivilege	1284	Explorer.EXE
Token: SeTcbPrivilege	1284	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1284	3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe	17
PID 3032 wrote to memory of 1284	3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe	17
PID 3032 wrote to memory of 1284	3032	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe	17

C:\Users\Admin\AppData\Local\Temp\0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
"C:\Users\Admin\AppData\Local\Temp\0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8efc45167ac3231a763a95341b4a40ae

SHA1
138db7ac62937406b8ba2983a891a406427e6706

SHA256
00049af9c23320077f04a3277fa3722cf5b480ae8d0012b690adef8a52b5ce0d

SHA512
e67ebfe8a927b5d258ab667216df13dc46a96d97c15d6080feff3e11397b73af20014bba6478bc5083519ef4d5b496704c6312716c1097ae6131010ae7ce6d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa2f01f194844559cb6a2d09f4b8a344

SHA1
81c3bc50a6c775bf612933176615f25a59294043

SHA256
a672f075b4f523041384bac379c1c6a4be7ea9ea5c817da6d1ed8310cc660676

SHA512
9aff793d53150559dde03cc9d74125f4f520cb5633792d9ba2b63f4f5e61ee72d69f6804ee48fd1a05235452017aaded1607ca987920bb8df7678d44f30b8d0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d09f45a95b4f2f66ece4eb69c41bbb85

SHA1
3e4fe29cccf028e0cd5527ccbedd68f4de914f77

SHA256
c1b5010f2689fee1fbaa16c6b8470a922b65dfa984ad06f6d9f0b0528d5b9b28

SHA512
389c8f4cff88e1d520835986e2da58904cf61e1102119b1f9473f892f34f698df60bf1b9022d8e481029335cf8dfdcbf5298648cd9f30c846a849a57f2023a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC303.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC335.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1284-7-0x0000000003E80000-0x0000000003EF9000-memory.dmp

Filesize
484KB

Download
memory/1284-152-0x0000000003E80000-0x0000000003EF9000-memory.dmp

Filesize
484KB

Download
memory/1284-4-0x0000000003E80000-0x0000000003EF9000-memory.dmp

Filesize
484KB

Download
memory/1284-6-0x0000000002980000-0x0000000002983000-memory.dmp

Filesize
12KB

Download
memory/1284-3-0x0000000002980000-0x0000000002983000-memory.dmp

Filesize
12KB

Download
memory/3032-15-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/3032-0-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/3032-345-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/3032-479-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/3032-736-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download
memory/3032-750-0x0000000000FB0000-0x00000000010B2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing