313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69

General

Target

313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
Size

536KB
MD5

c96402fc0c0c36808c754b4329bed5f5
SHA1

05ff2d88b6249ed0b49e48271189b1eb6c4ab033
SHA256

313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69
SHA512

7230c3a02ac6140eade58b213a54d293ef347fb6cb9533b95bcac43d8392e48484c530667484015cb9a6c0a14f8c9a71cffd0c08082a190c20037ad8151a9256
SSDEEP

12288:xhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:xdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3092-0-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-1-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-5-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-14-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-22-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-23-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-30-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-32-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-37-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx
behavioral2/memory/3092-47-0x0000000000A10000-0x0000000000B12000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\34efa8	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
Token: SeTcbPrivilege	3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
Token: SeDebugPrivilege	3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
Token: SeDebugPrivilege	3520	Explorer.EXE
Token: SeTcbPrivilege	3520	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3520	3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe	61
PID 3092 wrote to memory of 3520	3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe	61
PID 3092 wrote to memory of 3520	3092	313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe	61

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
- C:\Users\Admin\AppData\Local\Temp\313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe
  "C:\Users\Admin\AppData\Local\Temp\313bea716c38f84d2c1e25d2756ea57058b0f9fa568c87a6f63b81ab1685aa69.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a039206bc8b0a874e2c0b9877f419245

SHA1
53dd769d695629234c9139befe5d904ea397499c

SHA256
9feced339ad79d6e5f20642352e69a8e55b25be51d9a68fc7f517c2bfce79636

SHA512
dfedf8e3d6e08c3cb845c7579548bd76e122764f4c9e697f7991bad5ce02fdf8f02955251015ecef80d4353042823224da8c973fbd5b559c203e3bf4bd9f77ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
0cdf7b70e37a37923fea3da891f9fb11

SHA1
60c0a0356df89ba15c1036e76842993d439ee534

SHA256
cabb04e2b2ae003031f2cf6055110d56a59264b10427be70acf3706651fc37df

SHA512
7f33b563e82b30570a70b167b6b00e450cdab9c34015ba32eecd855c79fe716f460d603e394d64e2a6f2b38a1f78ef61d79cfc65f957d736bb3ba1639d03e26a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
6de674e0530b1c6ea080efd1df3e5ca7

SHA1
59d7d4d2181854088d166d6edd6ea4c48b292768

SHA256
e65a34180e75b23aaf176fdc674c841f90473ff7fc980358d5e5d3fc7fd743a8

SHA512
b2718b0d842fd1a65fcc820428fa0c635c85c6cb5e0a581b027c9a19ef1b03bb03aadde1fc152448190e117edfffbac94b258527878225c5e025df910c7da3d2

Download Submit
memory/3092-22-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-23-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-47-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-37-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-14-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-32-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-0-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-30-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-1-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3092-5-0x0000000000A10000-0x0000000000B12000-memory.dmp

Filesize
1.0MB

Download
memory/3520-6-0x00000000005A0000-0x00000000005A3000-memory.dmp

Filesize
12KB

Download
memory/3520-7-0x00000000005A0000-0x00000000005A3000-memory.dmp

Filesize
12KB

Download
memory/3520-8-0x0000000008630000-0x00000000086A9000-memory.dmp

Filesize
484KB

Download
memory/3520-19-0x0000000008630000-0x00000000086A9000-memory.dmp

Filesize
484KB

Download
memory/3520-9-0x00000000005A0000-0x00000000005A3000-memory.dmp

Filesize
12KB

Download
memory/3520-10-0x0000000008630000-0x00000000086A9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing