73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07

General

Target

73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
Size

536KB
MD5

92af43f938696490d3f469d0032f0ca5
SHA1

200c6c42f0dfc49a83cf34395a622af8e621cc07
SHA256

73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07
SHA512

72bab3c206a0779696112eaaed7e32638ecfcebea369f2a1c8bd7a74d5da647a03b3e679342e03ce515a0c530bed3b5b22d0964bca32f7e4746d6d3ce109c551
SSDEEP

12288:phf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:pdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1236-0-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-1-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-12-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-23-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-28-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-29-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-35-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx
behavioral2/memory/1236-47-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\152928	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
3472	Explorer.EXE
3472	Explorer.EXE
3472	Explorer.EXE
3472	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
Token: SeTcbPrivilege	1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
Token: SeDebugPrivilege	1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
Token: SeDebugPrivilege	3472	Explorer.EXE
Token: SeTcbPrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3472	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 3472	1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe	19
PID 1236 wrote to memory of 3472	1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe	19
PID 1236 wrote to memory of 3472	1236	73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe	19

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3472
- C:\Users\Admin\AppData\Local\Temp\73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe
  "C:\Users\Admin\AppData\Local\Temp\73da7aed8c59cfdc1c114ecc8b42fca661c6f270e18b5b021d5f54ec093acb07.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
700ace6729dc1ed90e975db05e467523

SHA1
bb44862572bcf0e9ca05e3ebd587cd9bcf0a29c7

SHA256
ebaf3fe9dd2d4925461bc465852e05ad0b1cdf903d3364e908b61907be3caa5e

SHA512
66ba350d235721a90c43c44579abc2c7ed39a16b17b63169c282b3448d6606763b0166f719a6a1b122735ea117c5ad6a17cd68dcf9e09ac493219bb87dc684ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
50f1f6f1574ff06f01e63ab8fdf55a67

SHA1
1788a64bc1a4922867974dc995fece821b0d904f

SHA256
07630afe76da9d198e37ab30d6a275f1b66368622b7868b4e985fd5a269b73e9

SHA512
e92a0617f12a92d3fedf093a20fd3fdb280933bb4dfc4908aaa287d74db6bd4a2b7053f83fd8c506084616cd9f382d03a2dd1f1f499a8124cf9ba61491242e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
73eab6109bea2b5ff98feb68ae068248

SHA1
23391d379b84fe5a0f5d370c9b91c2a78f469bd5

SHA256
e1da2c8933550d1eb56f8526aa3498643e7377f814cfd7dddb559b3fc373339c

SHA512
1d33d4c5aaef755176cd2fc634f37f4846bb7982849786bfbb077b47e4d7ee540aeb343a1d2b6fd795ca4d1e08d8364a83472a90ceba9e0e6dff76b5ab2c0317

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
053ccd7882e60052da460fcfb2286fac

SHA1
bd31eec2014b421334f9a1eb85ca010f3c68a652

SHA256
e1c1b43092e21044b40847b889230a42a4b6925cf9e220e14de9d347e5f23522

SHA512
f1ae423eab04f4f01f35b4b8e50540683b7c55692e2cb9b2b40b36efed1eb0cb7322f696e763b620d58e487e332f4e7d9a0dbb1b6b68e0b8efee1f25298470b9

Download Submit
memory/1236-1-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-47-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-35-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-0-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-29-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-28-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-12-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-23-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/3472-6-0x00000000083B0000-0x0000000008429000-memory.dmp

Filesize
484KB

Download
memory/3472-18-0x00000000083B0000-0x0000000008429000-memory.dmp

Filesize
484KB

Download
memory/3472-7-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/3472-8-0x00000000083B0000-0x0000000008429000-memory.dmp

Filesize
484KB

Download
memory/3472-5-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/3472-4-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing