5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35

General

Target

5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
Size

536KB
MD5

8195d40623cbdca8375b8a1aa5aec6b6
SHA1

30a986b79fe16839e946cf0cd7e2d8a717e5be7c
SHA256

5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35
SHA512

59197d413895f1d60409a6c894b6485a098a3265b083eedae880dee81e72ec4aeb7d6e0a8eb7f603e460ef752bb2761c7754800bd8e3c0e8fe6bfb010a9ee9d0
SSDEEP

12288:ihf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:idQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2436-0-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx
behavioral2/memory/2436-14-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx
behavioral2/memory/2436-19-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx
behavioral2/memory/2436-27-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx
behavioral2/memory/2436-32-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx
behavioral2/memory/2436-44-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx
behavioral2/memory/2436-68-0x00000000002A0000-0x00000000003A2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\29b488	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
Token: SeTcbPrivilege	2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
Token: SeDebugPrivilege	2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
Token: SeDebugPrivilege	3464	Explorer.EXE
Token: SeTcbPrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3464	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3464	2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe	65
PID 2436 wrote to memory of 3464	2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe	65
PID 2436 wrote to memory of 3464	2436	5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe	65

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3464
- C:\Users\Admin\AppData\Local\Temp\5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe
  "C:\Users\Admin\AppData\Local\Temp\5db0f55f1c7addfb7f13ebf420ce3d6faf2aaee8dfc5bc824922978d53771a35.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
3e335c1a60ef3f445940f463a8a3eecc

SHA1
33d92e765c4e20a9d3144100dcc40c6e9e7b272e

SHA256
55d91214dea5b6bac1df86aae144001c3eb2aca6c64a670e399109ee89cd3f0b

SHA512
b76d6cbbfe61e79793c58bd2329bfabb67f26eb7d80d6aed77f53daea389d47329aa48b144665358d2bb734cbee899bac8e1a31dfd3a43cdb240b0852e1ca7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
6a4e851889e8ecf26c1b7a3c0dd0240a

SHA1
472bc2131a4663a69f59e7ac8734d0245617c257

SHA256
807d878735c2433fecba17415d87454ce34192bf39446f0cc6c1236db874057c

SHA512
9c7a36199cc287825b4094fe49021634a7081cf334a0965f1d12eaa476eeba06accb5201ea4f9040dc9ac3a91e3a4737077dd35b6c22a0ec64a4e8156449bdb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
7abc910d891c3863536cd240e9e0e660

SHA1
cc8d5ced2ed368debd34cdb90a3eb6d0da8b3c26

SHA256
c94c1f22ce7a3f2da87211f4a768f57e44f38e8e115ab16d10d63b70bc05a59e

SHA512
b10b41a8da95d57d2b2591168cfabefc06ab2af9716367373ac8003f58b7179e26e394b07164d632a91b511cb3caa7ad86ef097fbca6bb69c7139c7c3b16555e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
08d7bbf0413b6c926dbaa2b37448c1f5

SHA1
8f6dee4e6b82efb96fd6d6a6adfb6791376a0ee4

SHA256
4ec6f296bda754cbe3ecddf21642083aef0f9f5eaeef3505b2e53a78a0b32c59

SHA512
bce5d4edf8da1f435c268e9455c36340f1f6fccece425548c665b99b933abb6e51aeac35eb941cd204c7f2e854c19fe14a86fe570e11c2e233253bb045193b4e

Download Submit
memory/2436-27-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/2436-14-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/2436-19-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/2436-0-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/2436-32-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/2436-44-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/2436-68-0x00000000002A0000-0x00000000003A2000-memory.dmp

Filesize
1.0MB

Download
memory/3464-16-0x0000000008C60000-0x0000000008CD9000-memory.dmp

Filesize
484KB

Download
memory/3464-5-0x00000000082F0000-0x00000000082F3000-memory.dmp

Filesize
12KB

Download
memory/3464-7-0x0000000008C60000-0x0000000008CD9000-memory.dmp

Filesize
484KB

Download
memory/3464-4-0x0000000008C60000-0x0000000008CD9000-memory.dmp

Filesize
484KB

Download
memory/3464-3-0x00000000082F0000-0x00000000082F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing