ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678

General

Target

ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Size

536KB
MD5

d4d17c9216b76ea64fef0a46ab07c252
SHA1

b8e66c845036686adf43e414c8232bd2427b51b9
SHA256

ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678
SHA512

b69dbea6ef0b8bacd32c9e41fb19be896c87c1dbf44be4281164f45089b788afbf792d00f80544dea81f1694e563692760c1999db3cd059cc152a13266f92eee
SSDEEP

12288:lhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:ldQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1620-0-0x0000000000E90000-0x0000000000F92000-memory.dmp	upx
behavioral2/memory/1620-14-0x0000000000E90000-0x0000000000F92000-memory.dmp	upx
behavioral2/memory/1620-25-0x0000000000E90000-0x0000000000F92000-memory.dmp	upx
behavioral2/memory/1620-29-0x0000000000E90000-0x0000000000F92000-memory.dmp	upx
behavioral2/memory/1620-35-0x0000000000E90000-0x0000000000F92000-memory.dmp	upx
behavioral2/memory/1620-45-0x0000000000E90000-0x0000000000F92000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1bbc28	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Token: SeTcbPrivilege	1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Token: SeDebugPrivilege	1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
Token: SeDebugPrivilege	3440	Explorer.EXE
Token: SeTcbPrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3440	1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe	84
PID 1620 wrote to memory of 3440	1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe	84
PID 1620 wrote to memory of 3440	1620	ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440
- C:\Users\Admin\AppData\Local\Temp\ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe
  "C:\Users\Admin\AppData\Local\Temp\ec6b9893ecfe159e35c80269c98775c1b68ab09fcd6c2630f9b9c5f32909d678.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
5a41daacc1b1f5c680954298ee0e5ddb

SHA1
de3148f7137ec0c22c9044e7ce2a577d59accf69

SHA256
9c0071af54e0b9335ecf5feea5b0da5b30306d3d065d5ccca71b7db389bcb82c

SHA512
c6871264601e98fd1d200afd0bb5eecdee8d79bbfc5aed3457f4c1f0c050099db322b057e7aac16de7d452aba87a2d64ce809fb387ce6c5ac4b47faeb0decfa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
d9c370f2a06b8b792e619ced870c8dd3

SHA1
c1644eb9dd3902b0042248b82d68a222768f8e2e

SHA256
8cc6fd07c8c2959a3adffe6f6d6c70364c831e6adcbae2d7337fe33e83c1a006

SHA512
226fb0c33a1366d5a5b10e1a729e04a93fec0730c5ae1ad898085be3ec8566f48e2976a132dc68f3ce9c2ab00b599cfd6a10e01674502ff6f03b0916ff3a796a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
1cf28f5394aba94e439c04f97614dbeb

SHA1
7b355cbf7c20e7b4dc41634ebb23a095c7f0d8cd

SHA256
9ef32190b780729ed66d1d9f8b3aab24002a507f1f02d28ba0c89fcde812bc6c

SHA512
173aed2e0a20d8afebd5e3e2a23e9102bb1426e9d6164dde12afdd61abc11e72b223a40b209c99784745d59045e93312bfd3025297aec20627d012dcb22f3423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
80463af95be42bda0bba526636a5590b

SHA1
b295ffa9483bb65b66ce4121cc7f6f4e8ef38339

SHA256
6ce671a4ec540c77ec7a48894a9e4ef218781e9d25cb725a55fb50fcd695e8bc

SHA512
61ae7422839a31142af699a18483684b895a25f7e54e75d49861cfe0c2f7a41e8ff0dd80bbc838ed8b98888b2070f0d7ee5dca48b01d313955bfa55832681bd7

Download Submit
memory/1620-25-0x0000000000E90000-0x0000000000F92000-memory.dmp

Filesize
1.0MB

Download
memory/1620-14-0x0000000000E90000-0x0000000000F92000-memory.dmp

Filesize
1.0MB

Download
memory/1620-0-0x0000000000E90000-0x0000000000F92000-memory.dmp

Filesize
1.0MB

Download
memory/1620-29-0x0000000000E90000-0x0000000000F92000-memory.dmp

Filesize
1.0MB

Download
memory/1620-35-0x0000000000E90000-0x0000000000F92000-memory.dmp

Filesize
1.0MB

Download
memory/1620-45-0x0000000000E90000-0x0000000000F92000-memory.dmp

Filesize
1.0MB

Download
memory/3440-4-0x00000000032B0000-0x00000000032B3000-memory.dmp

Filesize
12KB

Download
memory/3440-16-0x0000000003600000-0x0000000003679000-memory.dmp

Filesize
484KB

Download
memory/3440-5-0x0000000003600000-0x0000000003679000-memory.dmp

Filesize
484KB

Download
memory/3440-7-0x0000000003600000-0x0000000003679000-memory.dmp

Filesize
484KB

Download
memory/3440-6-0x00000000032B0000-0x00000000032B3000-memory.dmp

Filesize
12KB

Download
memory/3440-3-0x00000000032B0000-0x00000000032B3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing