bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d

General

Target

bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
Size

536KB
MD5

e8b3754676c5d5881fb0a08d84ca1367
SHA1

340dcf0227603e18fc25766db36961a486e7004f
SHA256

bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d
SHA512

7f379744856c2f69bcf046e04f789b254606ca3ccebb8038d4c9a044c355f3969435b8d23c933eb4be71b8fa0a9c3afb4adea55228351d7c693582e970b9f9e8
SSDEEP

12288:chf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:cdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4416-0-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-1-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-2-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-8-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-21-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-31-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-32-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-39-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx
behavioral2/memory/4416-49-0x0000000000E40000-0x0000000000F42000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4b9a80	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
3472	Explorer.EXE
3472	Explorer.EXE
3472	Explorer.EXE
3472	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
Token: SeTcbPrivilege	4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
Token: SeDebugPrivilege	4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
Token: SeDebugPrivilege	3472	Explorer.EXE
Token: SeTcbPrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3472	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3472	4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe	52
PID 4416 wrote to memory of 3472	4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe	52
PID 4416 wrote to memory of 3472	4416	bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3472
- C:\Users\Admin\AppData\Local\Temp\bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe
  "C:\Users\Admin\AppData\Local\Temp\bb4c4fe763e3a80945fc3f9617c981d3c7a9d48d9b6616e42c172884dc32102d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
d85769773d72bde074bd3ee7fbea5ac9

SHA1
328f6f59dfe3b8e5c77892c99e510a825a98b57e

SHA256
1d7af3b6f2f8d19ef3b50a5e7e56eeabc19e1d9c23e526fe9b6c6d959bcc9f81

SHA512
35fc244d41d270d2b4d321fd5695ba77f55c9159a6a8c9661cdaa624f54197ba5c5045bc6e3d985b33b6caa16b0e8ebc6ad18c719d594591174b61de1c74955d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
2b8f154a1ad8e38564c8eddc9f79e98c

SHA1
184408041346bbebcb6127ae1cf1b756c3e8b5fd

SHA256
607a7b2d77cc24953f760e41853852bc7df90580f76d60a2818cc755cf7a12b5

SHA512
634b49a51f0098ca41a208f3b95b85e19bcc87951f528d750afa1d132e2b6beceea52f5dd8ca358a8d9ef898087a55fdebfcb8fc60d8a1ff53066c2296637bd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
aea5f9176ddb2b1b0ed8112f17e7c681

SHA1
02a8166527500b875abc2017aafa3b9724e12ee6

SHA256
0fb524feae108d0fc54fad8634c843d7dfd2cd58062a41feb3a39c4928ac5203

SHA512
19bec52715366e6ffb1f3a0db56b5bfc6949f4db3b387bb24746c4e4eb796fd024486e821aa463bc78949ee6cf6141b037b35f3fba8999374d9327af2fb61e22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
622151131826a578bb9c7a5c19e78617

SHA1
07c489b79b607dd38968af06339663b8f81cfd9b

SHA256
2a765607f65ed58b75d5a2428d30c6c7496f4d458ba64a9eafbc6bec0d040168

SHA512
414ffa61a5fc7d2f1a6f00ae2e8d2cbabd3f283d92cfa350fd325deb8195c07fcaf73f734d0f61a360a66cf806ace53bbf0c91c02a0ce114fd74440366c60bb1

Download Submit
memory/3472-6-0x0000000007D50000-0x0000000007DC9000-memory.dmp

Filesize
484KB

Download
memory/3472-5-0x0000000000730000-0x0000000000733000-memory.dmp

Filesize
12KB

Download
memory/3472-7-0x0000000000730000-0x0000000000733000-memory.dmp

Filesize
12KB

Download
memory/3472-9-0x0000000007D50000-0x0000000007DC9000-memory.dmp

Filesize
484KB

Download
memory/3472-18-0x0000000007D50000-0x0000000007DC9000-memory.dmp

Filesize
484KB

Download
memory/4416-21-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-0-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-8-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-2-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-1-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-31-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-32-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-39-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download
memory/4416-49-0x0000000000E40000-0x0000000000F42000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing