f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e

General

Target

f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
Size

536KB
MD5

f16e6ee3b26711e87512afc59d653aed
SHA1

40f0efc64160ee67ab160c927a9391f0caee1dc2
SHA256

f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e
SHA512

452e7746dc0941005f1461109b572abc098ed623040f3ba276d55d5fcfd7d7acdd0334ff4b0986cab8827bd3acf34b836455a419c034b2cf75986a1024f4cfe4
SSDEEP

12288:Uhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:UdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1684-0-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-1-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-7-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-12-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-20-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-29-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-32-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx
behavioral2/memory/1684-46-0x0000000000B60000-0x0000000000C62000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1cd4a8	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
Token: SeTcbPrivilege	1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
Token: SeDebugPrivilege	1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
Token: SeDebugPrivilege	3588	Explorer.EXE
Token: SeTcbPrivilege	3588	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3588	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 3588	1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe	57
PID 1684 wrote to memory of 3588	1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe	57
PID 1684 wrote to memory of 3588	1684	f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3588
- C:\Users\Admin\AppData\Local\Temp\f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe
  "C:\Users\Admin\AppData\Local\Temp\f7fa0915e710d55f538050cb45f65e8c54a7ed720109a9bea1e4957472e2877e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
5a41daacc1b1f5c680954298ee0e5ddb

SHA1
de3148f7137ec0c22c9044e7ce2a577d59accf69

SHA256
9c0071af54e0b9335ecf5feea5b0da5b30306d3d065d5ccca71b7db389bcb82c

SHA512
c6871264601e98fd1d200afd0bb5eecdee8d79bbfc5aed3457f4c1f0c050099db322b057e7aac16de7d452aba87a2d64ce809fb387ce6c5ac4b47faeb0decfa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
d9c370f2a06b8b792e619ced870c8dd3

SHA1
c1644eb9dd3902b0042248b82d68a222768f8e2e

SHA256
8cc6fd07c8c2959a3adffe6f6d6c70364c831e6adcbae2d7337fe33e83c1a006

SHA512
226fb0c33a1366d5a5b10e1a729e04a93fec0730c5ae1ad898085be3ec8566f48e2976a132dc68f3ce9c2ab00b599cfd6a10e01674502ff6f03b0916ff3a796a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
ae26c5e58d0799dfafe8c1204cbeaad8

SHA1
73f800db1c673db2a0a4b8c9d486131bb41e4fe9

SHA256
4c4649f0dc2ed31f0e7d3010d5b44c798553d38c88f86b732097218281d973aa

SHA512
3e7d7d07075885b463da9e4080c2c95dad1a66fade53bd818dd7eadc54363988fd3e9dd2326a5777d099437cd0596fca68d00f5a139372c05c45468695a27871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
8ef98ea5243c1e75e32526e596febbbc

SHA1
ad69b5121fcb6147791b3099fa34cc72d8be2f2f

SHA256
7d6dbd045df8b2b44ab2398e1b322915fab039ecb9b03499aef29487808cd1bc

SHA512
61e8d41736062f889742997046b185591b1134d218b59d1dedaba4a5bc5024fe4fbe352ac3604074051c60289ffdfd4b3481e59785cdaa3bd561f13c9d027b43

Download Submit
memory/1684-7-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-12-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-20-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-0-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-1-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-29-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-32-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/1684-46-0x0000000000B60000-0x0000000000C62000-memory.dmp

Filesize
1.0MB

Download
memory/3588-8-0x0000000007F10000-0x0000000007F89000-memory.dmp

Filesize
484KB

Download
memory/3588-6-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download
memory/3588-18-0x0000000007F10000-0x0000000007F89000-memory.dmp

Filesize
484KB

Download
memory/3588-5-0x0000000007F10000-0x0000000007F89000-memory.dmp

Filesize
484KB

Download
memory/3588-4-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing