3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14

General

Target

3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
Size

536KB
MD5

13896a83495c537f1d6acda89f6f2aef
SHA1

87db9864b5a22f7994b7cbd3c3eb567900a8f32a
SHA256

3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14
SHA512

6a3a990ea4e269d31a3992b8432506855e20e473d9d70b518788da652eaaee20e7e1f7f0c18fc5f605cf194924f2692765653ef13d8406f513d7246900c21330
SSDEEP

12288:Mhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:MdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4356-0-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-14-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-25-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-26-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-28-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-33-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-47-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx
behavioral2/memory/4356-64-0x00000000000B0000-0x00000000001B2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4a9388	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
Token: SeTcbPrivilege	4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
Token: SeDebugPrivilege	4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
Token: SeDebugPrivilege	3488	Explorer.EXE
Token: SeTcbPrivilege	3488	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3488	4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe	39
PID 4356 wrote to memory of 3488	4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe	39
PID 4356 wrote to memory of 3488	4356	3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488
- C:\Users\Admin\AppData\Local\Temp\3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec24eae763f301ed56ca54cb681d2eccae4614c1f9fe69d13fedea49c2fbd14.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
ac014cef6cfe67878d8c40ab763bdf4a

SHA1
9213d01d7e180e9d62f8bcf12e41a3c1024a7240

SHA256
bc357cfeb8ec83a9f81951778964baf14f360e23f870da4301f1ea222de70f72

SHA512
8cac47116a686f8fdbf73dd5980ab41907a58cbd86e71bd61e7a51350fd3735f3b558e425d367fa62b578e14bbb9da18c6458f4735bed1d46e40d3222e888e93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
596efc00ea4325ff6b4ab2347a5956ec

SHA1
65cd651905b293b692ef87a30b0a8235608078ce

SHA256
c2e26e0caae647d3c482ee241841ce423be2e462d70abf4b75bd7436457cf9ed

SHA512
de9bd24915bb11921192fb7747f124397855a46a65b5f022d41321e836beec7128e095b1abf8201d2e01682e3b594f69907085eefa558f6f04f1e46e06759b90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
6b53c80d05169499163d5fcb64478970

SHA1
3441e5db2734c81e261d0e1e5b43bbad66266c39

SHA256
878e276ff45d90fffa854a0dac3b6c84330ae6f681e288b2189113a52409b4d2

SHA512
985c891d7645dddeb4bd8456e2630f87868f809bcd93973c2430e7329b2a288f23b7b107c6215cf42ed3d384031c0426cced010cb7e416ea2a47719485043c61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
a3f60e04407c72000881967342e0ef6a

SHA1
ea4588fad264f290a176cc5ba867745ffe154abf

SHA256
79f37410bce2756132c81320dde2b6e3e282161da92f5dd51d12104693760826

SHA512
a6338b77db7a26716c16ba8624b2b5facef05ca3a01c8ac4433d8432ca90aff0c0d5bcf41c6cffc6f1df94eeae73a4a93afa944f071881837ed5e1c421cd5fbd

Download Submit
memory/3488-7-0x00000000032A0000-0x0000000003319000-memory.dmp

Filesize
484KB

Download
memory/3488-5-0x00000000032A0000-0x0000000003319000-memory.dmp

Filesize
484KB

Download
memory/3488-3-0x00000000013E0000-0x00000000013E3000-memory.dmp

Filesize
12KB

Download
memory/3488-16-0x00000000032A0000-0x0000000003319000-memory.dmp

Filesize
484KB

Download
memory/3488-6-0x00000000013E0000-0x00000000013E3000-memory.dmp

Filesize
12KB

Download
memory/3488-4-0x00000000013E0000-0x00000000013E3000-memory.dmp

Filesize
12KB

Download
memory/4356-0-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-14-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-25-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-26-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-28-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-33-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-47-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download
memory/4356-64-0x00000000000B0000-0x00000000001B2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing