439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da

General

Target

439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
Size

536KB
MD5

6e114aacdddd418a0b556b46385e3338
SHA1

5b3785d29cab062defe9569292a7639450da535c
SHA256

439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da
SHA512

eaf2b2f2d996ca4cd0d832205351ead23bca7b8d46f89ddb2e74cdfa6414f6a749458f808b3db2ba177cc359ac2c5c0038cdf4928d00023a01decea462fee831
SSDEEP

12288:8hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:8dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4852-0-0x0000000000610000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4852-14-0x0000000000610000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4852-25-0x0000000000610000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4852-27-0x0000000000610000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4852-30-0x0000000000610000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4852-42-0x0000000000610000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4852-71-0x0000000000610000-0x0000000000712000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\531168	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
Token: SeTcbPrivilege	4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
Token: SeDebugPrivilege	4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
Token: SeDebugPrivilege	3492	Explorer.EXE
Token: SeTcbPrivilege	3492	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3492	4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe	13
PID 4852 wrote to memory of 3492	4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe	13
PID 4852 wrote to memory of 3492	4852	439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492
- C:\Users\Admin\AppData\Local\Temp\439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe
  "C:\Users\Admin\AppData\Local\Temp\439e32ff078c800d5efa7b473abbf10bf0b5f5b9a7f134f888dff1f3f04527da.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
be0abb453d9051af17c0490bb367df09

SHA1
6a19c34a11678a5cdb83ac377712a5ba1f725a73

SHA256
c998c607b63ed5ba9416e7c4582cefefa6db2ff2a72903014b5ca3b26a076206

SHA512
6bfddc10f46330c0466407d68ae0a1106f29e4cdb3bf9709890a9fff0d99b2e65c8854c6fb6e3ab3717de72e48ad92bb25313df087a3090d3a880d32f6ee46ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
aa4b6f444eab18c9f51e322011ebedec

SHA1
6f83ddb1848bb673dc089d654dda2d80ce1a7843

SHA256
8fa1bf20418a15eadbe3247d1c889f170767f82b3e28480c62fd7c7c97689626

SHA512
59e20c5cfe82acd080c2fc9e3950c3a0eeaf42b2c56b901509e98f6fb8640d79e9633417056b9a9aa72b2e7554b43bf85c9f57728ed4b6363c5d17622339901d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
e45dfecab475573c6b1defef3b1a4760

SHA1
15807e711f67cfcf4a364a92b595d374868c20ce

SHA256
d727d9e52afd253b8881d4ddfb77337c4a88bd3223a52da77d4ea5daba1dc880

SHA512
b94360e90588ca4b8b9411148f4650e06cea6e166eca2bae8e9bef930429a6486919a4c92c09797981d2cc890801e49d74ccea1b7e2acb5ee7537c9e08030e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
153a95e5d36dba4ee9278ad514ab5c70

SHA1
9f5ae20efe887477c8918e9e243eda413f44cc5f

SHA256
63c011ce32f12790e441ba843cf419264f62ebea7695df3ce22977c4379f00b3

SHA512
296abee94bcdbb9e530ef5361194bf917b9783a6730f713a8c528b76462ba0961f20ca6cbcd2412b8fda8cc2b47e263636b2fbe615278608534ae303eea99a06

Download Submit
memory/3492-6-0x0000000002630000-0x0000000002633000-memory.dmp

Filesize
12KB

Download
memory/3492-4-0x0000000002630000-0x0000000002633000-memory.dmp

Filesize
12KB

Download
memory/3492-16-0x00000000026C0000-0x0000000002739000-memory.dmp

Filesize
484KB

Download
memory/3492-7-0x00000000026C0000-0x0000000002739000-memory.dmp

Filesize
484KB

Download
memory/3492-5-0x00000000026C0000-0x0000000002739000-memory.dmp

Filesize
484KB

Download
memory/3492-3-0x0000000002630000-0x0000000002633000-memory.dmp

Filesize
12KB

Download
memory/4852-14-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download
memory/4852-0-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download
memory/4852-25-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download
memory/4852-27-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download
memory/4852-30-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download
memory/4852-42-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download
memory/4852-71-0x0000000000610000-0x0000000000712000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing