4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540

General

Target

4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
Size

536KB
MD5

ba87e864b94b3898b41f70784214ccd1
SHA1

a2e1f5ef52c5d3c187a1ba52f3d7631cedeb1e3c
SHA256

4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540
SHA512

84095845e50f71d40421efd9b5569ee0261be34ef59dadbf53c053470e2226b38353043fa75cf379745c566a17c3ee58cb2f384103cfa186ef1cecf134b89130
SSDEEP

12288:Nhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:NdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2896-0-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-14-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-19-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-27-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-28-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-35-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-45-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/2896-69-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3194a0	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
Token: SeTcbPrivilege	2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
Token: SeDebugPrivilege	2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
Token: SeDebugPrivilege	3340	Explorer.EXE
Token: SeTcbPrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3340	Explorer.EXE
3340	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3340	2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe	43
PID 2896 wrote to memory of 3340	2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe	43
PID 2896 wrote to memory of 3340	2896	4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe	43

C:\Users\Admin\AppData\Local\Temp\4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe
"C:\Users\Admin\AppData\Local\Temp\4606bea551670d84e212c22913a02482e0b6b7a7ced51ce8292429e8226ca540.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
c723ee6856557f0bfd1cc5e67b553d05

SHA1
3a78610a0c88153d0f6f5b78640a6e6be4c00090

SHA256
965a8fe70760f2e36dde21daabe53e847bb56c53a850e6e6cb37238cc9963281

SHA512
2693cc09b2d3a63ff4ed2fb331a1e871e33317959da68b2e095ec986670f5aaba620d44be5e5d79c7471e8c642410ec7f3259452898dd4a4b2cc5e556d2f1bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
8fae162548fda49d1fd8a343356c191e

SHA1
0a85f178464e461e566d827985974d379e434d15

SHA256
2195f0b4a24a2ab39c72931875473d38cdc1d6d33eb9257072eea8c5052647d3

SHA512
fbbe6dc04f4b583bcf441b160138ddeee81112864e784cdeb79256e1377f30732d58b2e450156899b02e35018a4a2075d8edce451fc3b3894aab77a336b06a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
16f75281b71c22c749f11c541033307c

SHA1
094d351ec2308d5dcad5bc9da6b62ac74464c9b4

SHA256
06f8303db7f6afa81b26925169737b083ac4249473ee94d7c2d201f6e95ea660

SHA512
adeb2993d00fae40b3b9652af0ff93dd5e18c0f82a6e082abf7202d3cbe723c5a99c0984f990b4abbf194673b619b2147e267787ff7aa3f99cb663e6eb8fdfee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
4b6d1a8d9c943b43fb86d8b47ece7a4e

SHA1
7ed85eff374f456fdd72543391fbbf7dde641beb

SHA256
ddc19b8de4cd615b09a9664805ee32ced0fc3bb5fc4caff8bd0261181230d846

SHA512
9a676b6772c02fb828329975c84cf67749c8c1b88062ec73ea1eeafb0c851aded785e283921ede453437b6a55dd99549cc014737d9ddf3550f539eb3df5473d8

Download Submit
memory/2896-27-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-14-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-19-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-0-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-28-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-35-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-45-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/2896-69-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/3340-16-0x00000000028D0000-0x0000000002949000-memory.dmp

Filesize
484KB

Download
memory/3340-3-0x00000000004C0000-0x00000000004C3000-memory.dmp

Filesize
12KB

Download
memory/3340-7-0x00000000028D0000-0x0000000002949000-memory.dmp

Filesize
484KB

Download
memory/3340-6-0x00000000004C0000-0x00000000004C3000-memory.dmp

Filesize
12KB

Download
memory/3340-4-0x00000000028D0000-0x0000000002949000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing