e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc

General

Target

e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
Size

536KB
MD5

bed29bb681d99164fe95fed1a02a7310
SHA1

a02e64da076a1769361b4f7c2523ee0e012d4c5f
SHA256

e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc
SHA512

0284095b13bfe991f28f8cf63c006601c06b7f9257f3c8cbdb88418eb1ddd32259fe6678d4acff74c0cb6f6fa0e09d0b7ef36f2715cd0f2648ce892486ef4180
SSDEEP

12288:phf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:pdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-0-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-8-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-19-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-27-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-28-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-35-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-45-0x0000000000F10000-0x0000000001012000-memory.dmp	upx
behavioral2/memory/4880-69-0x0000000000F10000-0x0000000001012000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\538c20	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
Token: SeTcbPrivilege	4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
Token: SeDebugPrivilege	4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
Token: SeDebugPrivilege	3428	Explorer.EXE
Token: SeTcbPrivilege	3428	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3428	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3428	4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe	52
PID 4880 wrote to memory of 3428	4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe	52
PID 4880 wrote to memory of 3428	4880	e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3428
- C:\Users\Admin\AppData\Local\Temp\e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe
  "C:\Users\Admin\AppData\Local\Temp\e70b003d9319000ca32bbd5e8b5fdd7a00969cc249e1dda3cd133247d2657ffc.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
0f7284d581cc2e23607d4c9819717e19

SHA1
994bc92c6c7bdb08851b4b158f6169c6f4386bf1

SHA256
bebc36ac5a37a509572f4d0fbebeee65b65eacb175878e850e8131c0ecc824c2

SHA512
088eb346e5562637256c8544b76955a5678473bc74785276bfb1c375ea605011f26a460f2730575350100e00ba0e86374eb7ccabf855836219ff00739f0e6c97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
773a1d5fc53d27208ce91a4b3671f05e

SHA1
5cabe6ea360ce3dd8dc3fb0d2ae59a50d596dfee

SHA256
f4ab788a8cbe10371d8fa35672d921c510f8b5224e7178b40d0b8e40f3e81255

SHA512
47a7aee7ee97f6ad3f7cd868913dc314dcce19da7db11e63fe4cf1a706f72768268a3501f63ffa7b7d4eaf001ef7d5a55ca01b0368ab638c39480f2ca533c79d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
9ad7beb0a755c8fe5d285de385709d4b

SHA1
539910cd250638192c1c00bd364aa24e3adef580

SHA256
a13200569c511e3a70a2093bb8825233f0cf547e6e521a49c6c1dada18581d01

SHA512
6271f8992ac96e56f9df6db6d7099b4b6ef9149b62d94e86b1894acfd5d60e38c6ff36b59ff649ada3bf2b7f71536e603b6f9ddeb0a0c2baf800891cf5d85450

Download Submit
memory/3428-7-0x00000000087E0000-0x0000000008859000-memory.dmp

Filesize
484KB

Download
memory/3428-17-0x00000000087E0000-0x0000000008859000-memory.dmp

Filesize
484KB

Download
memory/3428-6-0x00000000028F0000-0x00000000028F3000-memory.dmp

Filesize
12KB

Download
memory/3428-4-0x00000000087E0000-0x0000000008859000-memory.dmp

Filesize
484KB

Download
memory/3428-3-0x00000000028F0000-0x00000000028F3000-memory.dmp

Filesize
12KB

Download
memory/4880-8-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-19-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-0-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-27-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-28-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-35-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-45-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download
memory/4880-69-0x0000000000F10000-0x0000000001012000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing