ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678

General

Target

ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Size

536KB
MD5

d4d17c9216b76ea64fef0a46ab07c252
SHA1

b8e66c845036686adf43e414c8232bd2427b51b9
SHA256

ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678
SHA512

b69dbea6ef0b8bacd32c9e41fb19be896c87c1dbf44be4281164f45089b788afbf792d00f80544dea81f1694e563692760c1999db3cd059cc152a13266f92eee
SSDEEP

12288:lhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:ldQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000001340000-0x0000000001442000-memory.dmp	upx
behavioral1/memory/2416-91-0x0000000001340000-0x0000000001442000-memory.dmp	upx
behavioral1/memory/2416-303-0x0000000001340000-0x0000000001442000-memory.dmp	upx
behavioral1/memory/2416-434-0x0000000001340000-0x0000000001442000-memory.dmp	upx
behavioral1/memory/2416-547-0x0000000001340000-0x0000000001442000-memory.dmp	upx
behavioral1/memory/2416-731-0x0000000001340000-0x0000000001442000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\295ce0	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1340	Explorer.EXE
1340	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Token: SeTcbPrivilege	2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Token: SeDebugPrivilege	2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Token: SeDebugPrivilege	1340	Explorer.EXE
Token: SeTcbPrivilege	1340	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1340	Explorer.EXE
1340	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1340	Explorer.EXE
1340	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1340	2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe	7
PID 2416 wrote to memory of 1340	2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe	7
PID 2416 wrote to memory of 1340	2416	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe	7

C:\Users\Admin\AppData\Local\Temp\ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
"C:\Users\Admin\AppData\Local\Temp\ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e6cc1778b26a36b99b2c8d5d0fe586c

SHA1
5a3e0e500ea3be79401ecc56708177fb9f1dd20d

SHA256
0a133bc4d84b936fc18824964106cc7d00d845a38e57257c32a0151551b05729

SHA512
df00cdf6a7d3b464858e7a0a4097a12f719ccc0c5a32f3e0235b094e255aa413fc09d4f7384a92678810366757ad0b3693d40d5f1bf59df9965fe00d46d0033c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6523b23069d14998cddd13d7ac83108f

SHA1
2606b98331d9013f01518bc2930dc967d48d422a

SHA256
7aba552fe90a60e1bc43f7eb9b0aed7df2bf8b7e747c9ddf7b797115409f3b2e

SHA512
af73795892ab43199618ebc8820e185f4e04d248dbc8a6a9953d25212438c8f006ead21e88f5fafa9c1ac068bea4f526ddcfabf75d39561018669ea2fdd934a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed7a478607f1df07270e3e6e77a89edc

SHA1
e6fec93e428d624433abd8bbc77a63e6284036b8

SHA256
71745d9ec7ece2745abc712d5a805e6e83c7ba9f5a3e8497dd3c41ec42c97d2d

SHA512
90463e4dfe9f336943044a02dd67f7107c1bf679d4f4634580a3a0b1cb9b530cecd396c50f248635a40182f2ab0ebf00aa3b1f3233f759b0cdb7112b62bbe21b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
afbe91fa29a5b96d3119d7f9fc07483f

SHA1
adf14efafeca7cb85a2a361122a2ee34ce49eb28

SHA256
97bbc204c0008566947888c1733afcac0d306be82c30641f49e5de059a98982c

SHA512
1db3131f78dd5eb233f60ff0fc93d1a0ef1b099d2d772f8503252ff553ee4219bbdac19f4dc72dc14128d65bcf2fef266aa2cb2cc058d7259c2e5d1995c0fd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1340-6-0x0000000003ED0000-0x0000000003F49000-memory.dmp

Filesize
484KB

Download
memory/1340-189-0x0000000003ED0000-0x0000000003F49000-memory.dmp

Filesize
484KB

Download
memory/1340-5-0x00000000032A0000-0x00000000032A3000-memory.dmp

Filesize
12KB

Download
memory/1340-4-0x0000000003ED0000-0x0000000003F49000-memory.dmp

Filesize
484KB

Download
memory/1340-3-0x00000000032A0000-0x00000000032A3000-memory.dmp

Filesize
12KB

Download
memory/2416-91-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download
memory/2416-0-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download
memory/2416-303-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download
memory/2416-434-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download
memory/2416-547-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download
memory/2416-731-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing