3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f

General

Target

3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
Size

536KB
MD5

10a61515a946d6547db7656fb9e92e5b
SHA1

079aa7b6e0d6011fbe3f41a73e05177273b305a2
SHA256

3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f
SHA512

03ebc0ba4b51f2acad86198407bbb687f197ba856c47200bee66f5fdffa0bfa824a21b00c3f0f62e052ee4917ef1cf0f45fcaf3cceadeaca4c764e1ad1fc9fd6
SSDEEP

12288:Xhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:XdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2252-0-0x00000000003D0000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2252-13-0x00000000003D0000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2252-24-0x00000000003D0000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2252-29-0x00000000003D0000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2252-41-0x00000000003D0000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2252-65-0x00000000003D0000-0x00000000004D2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\268e18	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
3524	Explorer.EXE
3524	Explorer.EXE
3524	Explorer.EXE
3524	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
Token: SeTcbPrivilege	2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
Token: SeDebugPrivilege	2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
Token: SeDebugPrivilege	3524	Explorer.EXE
Token: SeTcbPrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3524	Explorer.EXE
3524	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3524	2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe	30
PID 2252 wrote to memory of 3524	2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe	30
PID 2252 wrote to memory of 3524	2252	3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3524
- C:\Users\Admin\AppData\Local\Temp\3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe
  "C:\Users\Admin\AppData\Local\Temp\3b396ace0baa23854e6b8329fff59ca58c7ca5e8bbda63c5687d23f04d8a5f5f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
0f7284d581cc2e23607d4c9819717e19

SHA1
994bc92c6c7bdb08851b4b158f6169c6f4386bf1

SHA256
bebc36ac5a37a509572f4d0fbebeee65b65eacb175878e850e8131c0ecc824c2

SHA512
088eb346e5562637256c8544b76955a5678473bc74785276bfb1c375ea605011f26a460f2730575350100e00ba0e86374eb7ccabf855836219ff00739f0e6c97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
c5ebc7025a5a10840488686935855658

SHA1
faa28fd70874c20800c643a0b81f196a44f6c89d

SHA256
e515b754eb2b407a81a6f9eab32d62ecf51228a5c7ecba6fbd7a2dd8e53cedb5

SHA512
e782e85cbe266ff355944e97b26c4d634c01f0aa7e790e62a1290acd0ad72cab00732a5bfbf38ef960644b82b1a7fa7ba516f9febe784eb1f633285c9af2ce1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
f59d91e2e4ac266ca5089e7380eda829

SHA1
4aeda426b90deabcc648b8fa7ff8cdb64aae8f4c

SHA256
a6c47d748852ba9f2f9bbab998f4465c490ac42f41870ff655e8f61ebcfddafe

SHA512
29751b1cc87fa0f97f7a551b51dc4c4bb98e3eb090e42e7bc73aea0bd8ea0d60347e60a436cf762d965763bf49b96a6635dc882ef013e7f05a4ca20ae62b97c9

Download Submit
memory/2252-65-0x00000000003D0000-0x00000000004D2000-memory.dmp

Filesize
1.0MB

Download
memory/2252-41-0x00000000003D0000-0x00000000004D2000-memory.dmp

Filesize
1.0MB

Download
memory/2252-0-0x00000000003D0000-0x00000000004D2000-memory.dmp

Filesize
1.0MB

Download
memory/2252-29-0x00000000003D0000-0x00000000004D2000-memory.dmp

Filesize
1.0MB

Download
memory/2252-13-0x00000000003D0000-0x00000000004D2000-memory.dmp

Filesize
1.0MB

Download
memory/2252-24-0x00000000003D0000-0x00000000004D2000-memory.dmp

Filesize
1.0MB

Download
memory/3524-5-0x00000000024B0000-0x00000000024B3000-memory.dmp

Filesize
12KB

Download
memory/3524-15-0x0000000007800000-0x0000000007879000-memory.dmp

Filesize
484KB

Download
memory/3524-3-0x00000000024B0000-0x00000000024B3000-memory.dmp

Filesize
12KB

Download
memory/3524-6-0x0000000007800000-0x0000000007879000-memory.dmp

Filesize
484KB

Download
memory/3524-4-0x0000000007800000-0x0000000007879000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing