aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe

General

Target

aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
Size

536KB
MD5

4886ee77dbc910da2e6bdb830eed4140
SHA1

330950e6794e78ac3d9f736c43a05317c8328b49
SHA256

aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe
SHA512

ae28c1174046e1e7a026304e3e0f2ba77700d12485c7a5598894d02a015d61f502aadd837e087f0434ffc163409c41c563c985be2f4b247b8053ab459ec19a76
SSDEEP

12288:Khf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:KdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3340-0-0x0000000000680000-0x0000000000782000-memory.dmp	upx
behavioral2/memory/3340-13-0x0000000000680000-0x0000000000782000-memory.dmp	upx
behavioral2/memory/3340-24-0x0000000000680000-0x0000000000782000-memory.dmp	upx
behavioral2/memory/3340-26-0x0000000000680000-0x0000000000782000-memory.dmp	upx
behavioral2/memory/3340-33-0x0000000000680000-0x0000000000782000-memory.dmp	upx
behavioral2/memory/3340-40-0x0000000000680000-0x0000000000782000-memory.dmp	upx
behavioral2/memory/3340-69-0x0000000000680000-0x0000000000782000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\392e98	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
3348	Explorer.EXE
3348	Explorer.EXE
3348	Explorer.EXE
3348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
Token: SeTcbPrivilege	3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
Token: SeDebugPrivilege	3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
Token: SeDebugPrivilege	3348	Explorer.EXE
Token: SeTcbPrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3348	Explorer.EXE
3348	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3348	3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe	48
PID 3340 wrote to memory of 3348	3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe	48
PID 3340 wrote to memory of 3348	3340	aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe	48

C:\Users\Admin\AppData\Local\Temp\aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe
"C:\Users\Admin\AppData\Local\Temp\aa75cbd3f282aca8d63933673abe2ea0597549a65e9fd49f5cd00976fc9ffafe.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
5a41daacc1b1f5c680954298ee0e5ddb

SHA1
de3148f7137ec0c22c9044e7ce2a577d59accf69

SHA256
9c0071af54e0b9335ecf5feea5b0da5b30306d3d065d5ccca71b7db389bcb82c

SHA512
c6871264601e98fd1d200afd0bb5eecdee8d79bbfc5aed3457f4c1f0c050099db322b057e7aac16de7d452aba87a2d64ce809fb387ce6c5ac4b47faeb0decfa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
596efc00ea4325ff6b4ab2347a5956ec

SHA1
65cd651905b293b692ef87a30b0a8235608078ce

SHA256
c2e26e0caae647d3c482ee241841ce423be2e462d70abf4b75bd7436457cf9ed

SHA512
de9bd24915bb11921192fb7747f124397855a46a65b5f022d41321e836beec7128e095b1abf8201d2e01682e3b594f69907085eefa558f6f04f1e46e06759b90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
8bcbaf1aa6ce8d28346063aff062eb4d

SHA1
fd5de95f0edf5b654b51ceebb4bee94f1938fcbb

SHA256
937475a4328bd4c7cbbda26f2e0a0bca9a65a33c04ad152aa69df71ad26a114f

SHA512
3f2a293b5e335868e3872b6c08d6314c5ac7d7f0a1d3737d89636d22349e957cf0b28d00a976567a50443cab1d63f485a66cbe4ef58057421db4cdd4f3fd3e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
58cbdd49528a032f6c97b6ca0a59df3d

SHA1
38945d97af91269f22c7a282c1bfe44c4c65142d

SHA256
dd5f8e67778afacbee2473767305b2b7ee422b27b5accf3bb954068da96cc78c

SHA512
81393b2c616b5b525081c738aa1ccd7302eb2c73ead7fd7b894e872a91b1b5daed29ed501b762b11353d6c26c0bc065e0ba2c4914f978ac9efbfbe907743d589

Download Submit
memory/3340-26-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3340-13-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3340-24-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3340-0-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3340-33-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3340-40-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3340-69-0x0000000000680000-0x0000000000782000-memory.dmp

Filesize
1.0MB

Download
memory/3348-15-0x0000000002EA0000-0x0000000002F19000-memory.dmp

Filesize
484KB

Download
memory/3348-3-0x0000000002B20000-0x0000000002B23000-memory.dmp

Filesize
12KB

Download
memory/3348-5-0x0000000002B20000-0x0000000002B23000-memory.dmp

Filesize
12KB

Download
memory/3348-6-0x0000000002EA0000-0x0000000002F19000-memory.dmp

Filesize
484KB

Download
memory/3348-4-0x0000000002EA0000-0x0000000002F19000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing