0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a

General

Target

0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Size

536KB
MD5

7b8a2c98d52ea175b2212d4db4c74b37
SHA1

34e1310a44a9f9d052c7b436ab6c47ac76a931a8
SHA256

0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a
SHA512

f600e9830bbcaea0ec840776774f1f8b0f4f6c268c4abda648665fb27fcff509f0e002492f691059565b707a1d80269df4486bdf53fc67bd82576d873681fb11
SSDEEP

12288:6hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:6dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1020-0-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/1020-14-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/1020-25-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/1020-27-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/1020-34-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/1020-46-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx
behavioral2/memory/1020-70-0x0000000000E50000-0x0000000000F52000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\117678	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Token: SeTcbPrivilege	1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Token: SeDebugPrivilege	1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
Token: SeDebugPrivilege	3452	Explorer.EXE
Token: SeTcbPrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3452	1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe	49
PID 1020 wrote to memory of 3452	1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe	49
PID 1020 wrote to memory of 3452	1020	0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe	49

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3452
- C:\Users\Admin\AppData\Local\Temp\0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe
  "C:\Users\Admin\AppData\Local\Temp\0a1015e407cd14a01e943650906f73b9cabd3efeccd3a1194182a6a67ec9f30a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
700ace6729dc1ed90e975db05e467523

SHA1
bb44862572bcf0e9ca05e3ebd587cd9bcf0a29c7

SHA256
ebaf3fe9dd2d4925461bc465852e05ad0b1cdf903d3364e908b61907be3caa5e

SHA512
66ba350d235721a90c43c44579abc2c7ed39a16b17b63169c282b3448d6606763b0166f719a6a1b122735ea117c5ad6a17cd68dcf9e09ac493219bb87dc684ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
71e85c5ca03aa621e128b5524fb52ea5

SHA1
55a6bf7c484b8c0fde3b78dfed9234da659d56dc

SHA256
e045c2ffa341e838d27f9f87358246276dad0d13be94c670f552f56f7d72e362

SHA512
f4d62dea814d4cfe6e5a9ac9dea29b83958895a58131a5daeb474349996a744819c6046517a1393d3fb2bc736af582a023bf015d217695c3785bcd81ef13e645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
c12ddc138c23a3d99c638b2c48d88a5c

SHA1
caa7893d0315b0a7fb8948680f2f0746f7a0ea64

SHA256
56d1b07cba99fe78412bbc95586d930a6c387735e31aba2300128fe0e7f76d36

SHA512
e3acf1f4f0e5be8cffd37a75bf4ce20e3a640c22eed3a1d96c7d3572ee19b0ed1ff95b978e4fe3f3562056879b018d5b9023ad5d5aab635e9b74984e206f9f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
12f1ec38b408feddded08d46fbc2cc51

SHA1
8e97f497f4e970d9e60c0f34c92111235d0d6932

SHA256
1f866c53140886db3a229a6669cf89f60ae1d3e216a3884166a26f76887a4fdd

SHA512
e7fc7147a1f520e290ea4a96df21aeb88b54f407edc50854599dc98e4a6b13b1122257211772d1168b1ec6ec731785bf694f62a53fe702d0549e2c252a13d963

Download Submit
memory/1020-25-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1020-14-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1020-0-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1020-27-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1020-34-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1020-46-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/1020-70-0x0000000000E50000-0x0000000000F52000-memory.dmp

Filesize
1.0MB

Download
memory/3452-4-0x0000000002D40000-0x0000000002D43000-memory.dmp

Filesize
12KB

Download
memory/3452-16-0x0000000003100000-0x0000000003179000-memory.dmp

Filesize
484KB

Download
memory/3452-6-0x0000000002D40000-0x0000000002D43000-memory.dmp

Filesize
12KB

Download
memory/3452-7-0x0000000003100000-0x0000000003179000-memory.dmp

Filesize
484KB

Download
memory/3452-5-0x0000000003100000-0x0000000003179000-memory.dmp

Filesize
484KB

Download
memory/3452-3-0x0000000002D40000-0x0000000002D43000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing