2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0

General

Target

2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
Size

536KB
MD5

0eb58bdfdf2fcdc09bf66b74df88abc0
SHA1

5f07d6c3dea858ad561860616f91675ea48c1373
SHA256

2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0
SHA512

a49bece4ce85ba000352158d4f00196bb16f486debcda1ebc6dda67ff3860a75d19e4c17f22d01d2b09d5a0ea600ca2a51f4c787d78084c745ef637e62e4bf31
SSDEEP

12288:Phf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:PdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2672-0-0x0000000001040000-0x0000000001142000-memory.dmp	upx
behavioral1/memory/2672-42-0x0000000001040000-0x0000000001142000-memory.dmp	upx
behavioral1/memory/2672-227-0x0000000001040000-0x0000000001142000-memory.dmp	upx
behavioral1/memory/2672-413-0x0000000001040000-0x0000000001142000-memory.dmp	upx
behavioral1/memory/2672-706-0x0000000001040000-0x0000000001142000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2dbee0	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
Token: SeTcbPrivilege	2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
Token: SeDebugPrivilege	2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeTcbPrivilege	1212	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1212	2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe	19
PID 2672 wrote to memory of 1212	2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe	19
PID 2672 wrote to memory of 1212	2672	2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe	19

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
- C:\Users\Admin\AppData\Local\Temp\2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe
  "C:\Users\Admin\AppData\Local\Temp\2c5de3e80b125f43e0339cdcc0d5a13d692d32f7f1cbb38165b199d9b759a7f0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
954a281b09f254f3afb6efad91209739

SHA1
289d02a9a704149efca900e5899f03f014736ab5

SHA256
e12a44fa5bb80fd7b4b341bdb3f97a092e79a95f648bff9daa4f3a310e9b8e96

SHA512
b6f32d976598983caa389b6bff852431d01e7a3343720445b47418894d19e549491c634ba164d2d3917a7637f0e06a26c6ddebe31204977425bb3a0376024b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4BC2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5594.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1212-4-0x0000000002BC0000-0x0000000002BC3000-memory.dmp

Filesize
12KB

Download
memory/1212-7-0x0000000003B00000-0x0000000003B79000-memory.dmp

Filesize
484KB

Download
memory/1212-6-0x0000000002BC0000-0x0000000002BC3000-memory.dmp

Filesize
12KB

Download
memory/1212-5-0x0000000003B00000-0x0000000003B79000-memory.dmp

Filesize
484KB

Download
memory/1212-224-0x0000000003B00000-0x0000000003B79000-memory.dmp

Filesize
484KB

Download
memory/1212-3-0x0000000002BC0000-0x0000000002BC3000-memory.dmp

Filesize
12KB

Download
memory/2672-0-0x0000000001040000-0x0000000001142000-memory.dmp

Filesize
1.0MB

Download
memory/2672-42-0x0000000001040000-0x0000000001142000-memory.dmp

Filesize
1.0MB

Download
memory/2672-227-0x0000000001040000-0x0000000001142000-memory.dmp

Filesize
1.0MB

Download
memory/2672-413-0x0000000001040000-0x0000000001142000-memory.dmp

Filesize
1.0MB

Download
memory/2672-706-0x0000000001040000-0x0000000001142000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing