99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb

General

Target

99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Size

536KB
MD5

daaa0d3db1dadeb893c983bd6186526c
SHA1

df7e9a5e31432fb205c60b719b98be993a3e178e
SHA256

99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb
SHA512

165df78a29ad26184c411234dd1cd18bfee1ad6fccf60b9e097f41b0952f9b9ef7cdd97fdb7cf7ae9ae33298f346cc0063343928adcb72337b56d537879ed12d
SSDEEP

12288:Xhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:XdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000240000-0x0000000000342000-memory.dmp	upx
behavioral1/memory/1732-188-0x0000000000240000-0x0000000000342000-memory.dmp	upx
behavioral1/memory/1732-398-0x0000000000240000-0x0000000000342000-memory.dmp	upx
behavioral1/memory/1732-441-0x0000000000240000-0x0000000000342000-memory.dmp	upx
behavioral1/memory/1732-703-0x0000000000240000-0x0000000000342000-memory.dmp	upx
behavioral1/memory/1732-708-0x0000000000240000-0x0000000000342000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1da708	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Token: SeTcbPrivilege	1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Token: SeDebugPrivilege	1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Token: SeDebugPrivilege	1380	Explorer.EXE
Token: SeTcbPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1380	1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe	7
PID 1732 wrote to memory of 1380	1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe	7
PID 1732 wrote to memory of 1380	1732	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe	7

C:\Users\Admin\AppData\Local\Temp\99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
"C:\Users\Admin\AppData\Local\Temp\99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42ab01147fc95e040efaf10eeebd192f

SHA1
4496d088afac8a22c598d375567b526c4dbf2dd3

SHA256
ef4fac6cf0add8177dcdcac5b09fbff566a6796b4bc621ac481f4784836383bf

SHA512
9dd53cad994947f357fa7e5bbde6b6cece04188edfba1d21914c603c57040199dcd9672b6342be4e0a7c44c05ff8881965dc306ade4948da10a0c68d90e4e0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cee1994773219e9e503c0926f69edca8

SHA1
a67621b72d5cea418aae4fe5b1921dde77242dfe

SHA256
8e5508e561a936f478a098d78264e0029380d7c33b5af1a065906e6d7f6cac0b

SHA512
c192566fded231b58e002b9b423d6d2c8224245b0400ef08fc8d272dd9c21c93ca0ebb28dc19e707d34fc06f073dc2934e9f70b67bce24ff9acb27c6cd938600

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f79848756479fc914bba249938565468

SHA1
a5aad84ad0588d8459a4ca82554d901362d869cb

SHA256
0655112a000cdc5928f6bd1d938a2e256cc65703ef30e4e1d6ebbec1750bcf9b

SHA512
e506214d1e044ade318e7159926b1ce46a8477556c07ee61e05f749639df0454ef47db8e80f31cf2ca75c0b600298805d84c31aec45d6db5ad006edd2cebdcbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7888384b45992eab402d6b16cc2a406c

SHA1
35f1174fed62da774298d2fdbc5adae7adee7052

SHA256
b31c54c655c6aa3051e6ee28c5c9394a3b1292e28331bebc21a97b6593a04ff0

SHA512
2a7b76a5e8f92f2f35d36994e62eee934768a46f9cdc18162d4e99422d27021109b5ee016739300a954e7fc9cba458a60268e9f540d8c5d8d9066f1c06ff14f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8BD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1380-7-0x00000000040B0000-0x0000000004129000-memory.dmp

Filesize
484KB

Download
memory/1380-238-0x00000000040B0000-0x0000000004129000-memory.dmp

Filesize
484KB

Download
memory/1380-4-0x00000000040B0000-0x0000000004129000-memory.dmp

Filesize
484KB

Download
memory/1380-6-0x0000000002530000-0x0000000002533000-memory.dmp

Filesize
12KB

Download
memory/1380-3-0x0000000002530000-0x0000000002533000-memory.dmp

Filesize
12KB

Download
memory/1732-0-0x0000000000240000-0x0000000000342000-memory.dmp

Filesize
1.0MB

Download
memory/1732-188-0x0000000000240000-0x0000000000342000-memory.dmp

Filesize
1.0MB

Download
memory/1732-398-0x0000000000240000-0x0000000000342000-memory.dmp

Filesize
1.0MB

Download
memory/1732-441-0x0000000000240000-0x0000000000342000-memory.dmp

Filesize
1.0MB

Download
memory/1732-703-0x0000000000240000-0x0000000000342000-memory.dmp

Filesize
1.0MB

Download
memory/1732-708-0x0000000000240000-0x0000000000342000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing