24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8

General

Target

24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
Size

536KB
MD5

885364ed79ba2cee43c2472fa04e46c6
SHA1

066b95243fa226ce18ffbafc7f8fef505e87410b
SHA256

24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8
SHA512

8c280d35d13bd0e71ab8875983b114fd8a52d028f05cd55adfb97995a10da3aa440acd7d830c3bfab2c707698b2c319134474eb2b22f2fad5e1063204746765b
SSDEEP

12288:zhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:zdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1840-0-0x00000000010E0000-0x00000000011E2000-memory.dmp	upx
behavioral1/memory/1840-7-0x00000000010E0000-0x00000000011E2000-memory.dmp	upx
behavioral1/memory/1840-174-0x00000000010E0000-0x00000000011E2000-memory.dmp	upx
behavioral1/memory/1840-660-0x00000000010E0000-0x00000000011E2000-memory.dmp	upx
behavioral1/memory/1840-665-0x00000000010E0000-0x00000000011E2000-memory.dmp	upx
behavioral1/memory/1840-679-0x00000000010E0000-0x00000000011E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1f8060	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
Token: SeTcbPrivilege	1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
Token: SeDebugPrivilege	1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
Token: SeDebugPrivilege	1224	Explorer.EXE
Token: SeTcbPrivilege	1224	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1224	1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe	11
PID 1840 wrote to memory of 1224	1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe	11
PID 1840 wrote to memory of 1224	1840	24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
- C:\Users\Admin\AppData\Local\Temp\24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe
  "C:\Users\Admin\AppData\Local\Temp\24264025870cb155db82e2d2c8ea53364629aa433165bef2647fd624ae5738e8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98a92bf9da5c410cfc5b7e0daf52c8f4

SHA1
179a19e01225a717a6b53843bb5e598d4f1998af

SHA256
4858eb0e64b5e5e429f3d09553dd0d3a386a0d36af9b4f367636e25929f2bbc4

SHA512
96f76ec02dfd2dfe8efc8b1bbd136071c1786897e7f6d5691a78844977838e72b79983b4a8ad7c35f72416e1f731934e8e6c1a03be7e48d2f2269b360aa71dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a9f92c0dcf1ec606b994f12277e6631

SHA1
f903d7b838c6810924ba49f4fe89d72e543cdef0

SHA256
b84ec870d6c8a981b32b28372da296e52ff38ff8fd32ad558866d859982374a6

SHA512
0390399012b61d78779f9d1e027d56577b596b3453031dd9eec944cb619da83fa866bddb5a192103a6c36b495de3a16b8eb5d725a9dfc80440dd2f7a4b13b84d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e148e193358f202da2630201a2404840

SHA1
51db8b742ae9fcf565ac7cab8d585b5043fc747c

SHA256
bf71e86e8b71d73988d11a46dbe32f56ef5fd4b962cb8baa79d1e838b058fe6c

SHA512
ad046712a0f2914ad5bfb0d4c6c9a05980644a4ea020f07a3848eda8b966de95851c422df7d1cebe6f897783a7bdf0f72d5ab0ee9056aad94a916242b1e190ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
290e1e3524310789eaa600658687e2ed

SHA1
ffa01e2ee9c0e95f5d1df4231e55dd18852d19a5

SHA256
aba99f2f7c26fcce6aabe81ba0162a13813ef438a6ef0fb97165a4931871c7bd

SHA512
0e2d670eae768b8c7e13f8eecc514e6f2b9e61497e20dea3f16f0ae50ff342d4f914313ee7668ca0db2fc4f0e0a9e77c9f5c294845bea638ea78aa4571d52ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD857.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD898.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1224-3-0x0000000002620000-0x0000000002623000-memory.dmp

Filesize
12KB

Download
memory/1224-4-0x0000000002620000-0x0000000002623000-memory.dmp

Filesize
12KB

Download
memory/1224-5-0x0000000002BB0000-0x0000000002C29000-memory.dmp

Filesize
484KB

Download
memory/1224-115-0x0000000002BB0000-0x0000000002C29000-memory.dmp

Filesize
484KB

Download
memory/1840-7-0x00000000010E0000-0x00000000011E2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-174-0x00000000010E0000-0x00000000011E2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-0-0x00000000010E0000-0x00000000011E2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-660-0x00000000010E0000-0x00000000011E2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-665-0x00000000010E0000-0x00000000011E2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-679-0x00000000010E0000-0x00000000011E2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing