99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb

General

Target

99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Size

536KB
MD5

daaa0d3db1dadeb893c983bd6186526c
SHA1

df7e9a5e31432fb205c60b719b98be993a3e178e
SHA256

99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb
SHA512

165df78a29ad26184c411234dd1cd18bfee1ad6fccf60b9e097f41b0952f9b9ef7cdd97fdb7cf7ae9ae33298f346cc0063343928adcb72337b56d537879ed12d
SSDEEP

12288:Xhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:XdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1744-0-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-7-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-24-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-25-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-26-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-31-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-45-0x0000000000630000-0x0000000000732000-memory.dmp	upx
behavioral2/memory/1744-62-0x0000000000630000-0x0000000000732000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1ddba0	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Token: SeTcbPrivilege	1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Token: SeDebugPrivilege	1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
Token: SeDebugPrivilege	3444	Explorer.EXE
Token: SeTcbPrivilege	3444	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3444	1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe	53
PID 1744 wrote to memory of 3444	1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe	53
PID 1744 wrote to memory of 3444	1744	99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
- C:\Users\Admin\AppData\Local\Temp\99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe
  "C:\Users\Admin\AppData\Local\Temp\99575d95961f454ca789bc2d53882e851ce9064db1ff190b0461cfbc884b5feb.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
ac014cef6cfe67878d8c40ab763bdf4a

SHA1
9213d01d7e180e9d62f8bcf12e41a3c1024a7240

SHA256
bc357cfeb8ec83a9f81951778964baf14f360e23f870da4301f1ea222de70f72

SHA512
8cac47116a686f8fdbf73dd5980ab41907a58cbd86e71bd61e7a51350fd3735f3b558e425d367fa62b578e14bbb9da18c6458f4735bed1d46e40d3222e888e93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
8a910b9a7028cab2a279db438a3bbbb3

SHA1
f0caf81e0e2d693ca597403510ee16cf213e7cc0

SHA256
4498d58a643abc02825dad0c12bd15f20838c56705b3167ab9b2c3e4a1d2719a

SHA512
d8f40b20440f57044bbd4dd0814ee7f259d927eaa08ecaae9d834e33e44cd0193eae9499611cc9c62fb43c4804118e948b14f2b66d56394b6f5b7a8714ea36ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
c7f5a6f52760fe95f2359c71a7d1187e

SHA1
64da60f85a553f25b53e88cf267fd366a9dd5183

SHA256
efabe2fa6dae82e175aa94deefbf7f647fe9dc197c1eefc25503902564944fbe

SHA512
452f4e9ad6c011b2442e2fd248c20a588ead76ec6b5bb1bad6c5aea4d9721047eda12a7c321b7f9f9140d39d5c1daac45171b40277c3d85cb81cd71496fae1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
4b8d309712aac75db772ef7fefcadb1f

SHA1
dc2d19aeb318c02c41a558c92bfb2f31dfc1f548

SHA256
f1a421d8ce5aa781f0faca9afce389b7dfea2b23cc0081c5f8a7fb89a28b4bd2

SHA512
c696999808bc7efcb16808602448460597967430cfb84d36a1b6640b338149a2076287e6da1008ea620ace1d04eebc1607dd3fc96596fc87b4b6491e10c04462

Download Submit
memory/1744-25-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-7-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-24-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-0-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-26-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-31-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-45-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/1744-62-0x0000000000630000-0x0000000000732000-memory.dmp

Filesize
1.0MB

Download
memory/3444-15-0x0000000003090000-0x0000000003109000-memory.dmp

Filesize
484KB

Download
memory/3444-6-0x0000000003090000-0x0000000003109000-memory.dmp

Filesize
484KB

Download
memory/3444-5-0x0000000002A60000-0x0000000002A63000-memory.dmp

Filesize
12KB

Download
memory/3444-4-0x0000000003090000-0x0000000003109000-memory.dmp

Filesize
484KB

Download
memory/3444-3-0x0000000002A60000-0x0000000002A63000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing