b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179

General

Target

b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
Size

536KB
MD5

b0e9bb688e7b2803b37456faf2a0bb3a
SHA1

b6ddbe3d1c1191f47b2173eb9625aa5133dcfc6b
SHA256

b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179
SHA512

d743d749b270337bb1180715e3126cba09d8f01c28b060358a3a7d4466befec26eb26f1182bff38e4eed53d04c910266606197b86f0e51d40d861532b0d6eddb
SSDEEP

12288:hhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:hdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1504-0-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-1-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-4-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-16-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-22-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-33-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-34-0x0000000000F60000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/1504-38-0x0000000000F60000-0x0000000001062000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\19bfc0	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
Token: SeTcbPrivilege	1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
Token: SeDebugPrivilege	1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
Token: SeDebugPrivilege	3464	Explorer.EXE
Token: SeTcbPrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3464	1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe	43
PID 1504 wrote to memory of 3464	1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe	43
PID 1504 wrote to memory of 3464	1504	b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe	43

C:\Users\Admin\AppData\Local\Temp\b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe
"C:\Users\Admin\AppData\Local\Temp\b8c82071dff869a7ae1497b0bc999f6e6a882612486b3a55b7bceb3a0018a179.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
8b437fee4ec35edcdbda1d0ce2a5eafb

SHA1
17a4447e13f807840727f48a537bd172cd90d631

SHA256
f2dcdeb4f794f6f97431a0707560163067d1ebc509f33e61c760f0fca9372848

SHA512
156d8d168b591c6eee6e79f0d76d37d206e2855e848d5bf255c0bc26c9c6b8097df6607e03dc0e0d1a3b23ec11495d47b161dea152fd363240304bd189b4355b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
aa4b6f444eab18c9f51e322011ebedec

SHA1
6f83ddb1848bb673dc089d654dda2d80ce1a7843

SHA256
8fa1bf20418a15eadbe3247d1c889f170767f82b3e28480c62fd7c7c97689626

SHA512
59e20c5cfe82acd080c2fc9e3950c3a0eeaf42b2c56b901509e98f6fb8640d79e9633417056b9a9aa72b2e7554b43bf85c9f57728ed4b6363c5d17622339901d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
e0335d2db18fd295aa9e76af7881c177

SHA1
65015082b6912dc3eea9483dc7798ca2640af5ab

SHA256
c492775975cb181af7cd2aac1e1f95e1006a54b536ec82661760bfdc339f4b92

SHA512
528975c52d1e434947dfaffb3276d326e7f1de245fa635e93e8925acd0bd4e5971b1c4fba507ef85d472e1fff7e5a71ba84eb4256e154859a80f8be210f98715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
a489493307e23debe3b45f52c86c5b48

SHA1
6d95dd146018168a830cdd5a7aad07deffe684e4

SHA256
50255ac3d224d5840af95e2818e6175dfb7d8143fb5b6b1ccff1d3545e241251

SHA512
06fdf307f701a216ee2b30bfde25a29becd04c613f9d8d73cf3cb33cde0a87d815be24c0414b23b871a1259672a776f539e10a64cbaef7794b7e370e9e719be8

Download Submit
memory/1504-1-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-4-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-38-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-0-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-34-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-33-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-16-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/1504-22-0x0000000000F60000-0x0000000001062000-memory.dmp

Filesize
1.0MB

Download
memory/3464-6-0x0000000003470000-0x00000000034E9000-memory.dmp

Filesize
484KB

Download
memory/3464-19-0x0000000003470000-0x00000000034E9000-memory.dmp

Filesize
484KB

Download
memory/3464-8-0x0000000001530000-0x0000000001533000-memory.dmp

Filesize
12KB

Download
memory/3464-9-0x0000000003470000-0x00000000034E9000-memory.dmp

Filesize
484KB

Download
memory/3464-5-0x0000000001530000-0x0000000001533000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing