7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468

General

Target

7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
Size

536KB
MD5

19cc53e13e2342f7f6cb7659ee2b07fc
SHA1

7ea2456b4c753f4360e76bc2944f39f200c79698
SHA256

7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468
SHA512

734bcc8135171aaaff6f76b5c191063632fe1e1861fc2b810b6a202e103f258e42cb4a4420296bd510c9eed39dd657c7a357da2f5ccc7cdc4c64cb624369da88
SSDEEP

12288:3hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:3dQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3544-0-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-14-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-25-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-26-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-27-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-34-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-46-0x0000000000530000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3544-63-0x0000000000530000-0x0000000000632000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3cacb0	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
Token: SeTcbPrivilege	3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
Token: SeDebugPrivilege	3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
Token: SeDebugPrivilege	3564	Explorer.EXE
Token: SeTcbPrivilege	3564	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3564	3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe	25
PID 3544 wrote to memory of 3564	3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe	25
PID 3544 wrote to memory of 3564	3544	7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe	25

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564
- C:\Users\Admin\AppData\Local\Temp\7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe
  "C:\Users\Admin\AppData\Local\Temp\7d902ed1e37d7dd9d521f4edee3dfa67b837b16bd3dd67eed921e06e98512468.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
0fd37457356cb7e5b540cbf9f2994f11

SHA1
70cb5723cd1016993535e021df7d2368b13c4711

SHA256
f6b81f04024798caabed4299d5ee85e30f1a8d5c1171dcce0c950714c71fb2d5

SHA512
fb67b5a7a0423c33a5b10879d359b4c3ddf0355d00a9be377f5ee3e636665db87cf74b202e276a37691106a71c411b96291c82202e7699cf71d43c061e6002d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
8843653205a85cd500241b96cc3de06c

SHA1
5cecb7b331cf6cae10c495c534d81866d3edfa38

SHA256
9cfbcfded2d2bdf4af443b1a49825cca136e9d16a3ac31a24cb202d0438306e8

SHA512
dad3b972f362366f13bd82492fc6b1de50877ae5d0919e1ea994bf5a85d739fe6f16f0326b1c65d4cb689e84a78155f1cdabc1f57bffbe35b9ae301b92cdddcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
d3ae010e4c3e065893f08a328872b67e

SHA1
3d9415d27b5f29650caec2923837a968a9702c3d

SHA256
a95fb0614933a9e70acd123e79b25785c59338a14608199979eade1a559b13be

SHA512
2b7ef324ea64bbabbdf4e185a9fc597c3d07e7158c1ef8051f545a885702eb63caad6af4760bcf541ded7b9ffa6d7703f862e840b5e7b866cb22e5be63c425f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
3bc9ec5bbcb3624916425c7b93302ca9

SHA1
8a60b33e965684fbf6081ada9b94633e27d38db9

SHA256
2246c4a5d9747e4003f4e97ba008e54777f4a46e0f050ddf52d444104884cdfd

SHA512
bc0fa8d80a4bc56a028c9312260b2918e21aa859357b96a054bb368501845673c423531e2f4bc06fff995cf0f1f4db6e49a8a4672374428f8150e4b69f2b3ba9

Download Submit
memory/3544-26-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-14-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-25-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-0-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-27-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-34-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-46-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3544-63-0x0000000000530000-0x0000000000632000-memory.dmp

Filesize
1.0MB

Download
memory/3564-16-0x0000000008680000-0x00000000086F9000-memory.dmp

Filesize
484KB

Download
memory/3564-7-0x0000000008680000-0x00000000086F9000-memory.dmp

Filesize
484KB

Download
memory/3564-6-0x0000000002D50000-0x0000000002D53000-memory.dmp

Filesize
12KB

Download
memory/3564-4-0x0000000008680000-0x00000000086F9000-memory.dmp

Filesize
484KB

Download
memory/3564-3-0x0000000002D50000-0x0000000002D53000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing