98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d

General

Target

98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
Size

536KB
MD5

b417683b010f08fd682e1ecd08df390f
SHA1

acb0cbea21503f9a5496a54a4e37a426dd86dd1d
SHA256

98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d
SHA512

335d874a3079121aa1a21eaa896eee103c341cbdac3a0fee559c6ef54ea19787b087168f2931aa91a6ecb697c4fca0382489288652bff9471e2e34b77ae8b146
SSDEEP

12288:Fhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:FdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4584-0-0x0000000000720000-0x0000000000822000-memory.dmp	upx
behavioral2/memory/4584-14-0x0000000000720000-0x0000000000822000-memory.dmp	upx
behavioral2/memory/4584-25-0x0000000000720000-0x0000000000822000-memory.dmp	upx
behavioral2/memory/4584-26-0x0000000000720000-0x0000000000822000-memory.dmp	upx
behavioral2/memory/4584-31-0x0000000000720000-0x0000000000822000-memory.dmp	upx
behavioral2/memory/4584-36-0x0000000000720000-0x0000000000822000-memory.dmp	upx
behavioral2/memory/4584-48-0x0000000000720000-0x0000000000822000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4e7ad0	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
3480	Explorer.EXE
3480	Explorer.EXE
3480	Explorer.EXE
3480	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
Token: SeTcbPrivilege	4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
Token: SeDebugPrivilege	4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
Token: SeDebugPrivilege	3480	Explorer.EXE
Token: SeTcbPrivilege	3480	Explorer.EXE
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3480	Explorer.EXE
3480	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3480	4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe	45
PID 4584 wrote to memory of 3480	4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe	45
PID 4584 wrote to memory of 3480	4584	98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3480
- C:\Users\Admin\AppData\Local\Temp\98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe
  "C:\Users\Admin\AppData\Local\Temp\98975f44f884d17889309e0a91f0ac48fbb098184a32685deac773345cfdb88d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
0fd37457356cb7e5b540cbf9f2994f11

SHA1
70cb5723cd1016993535e021df7d2368b13c4711

SHA256
f6b81f04024798caabed4299d5ee85e30f1a8d5c1171dcce0c950714c71fb2d5

SHA512
fb67b5a7a0423c33a5b10879d359b4c3ddf0355d00a9be377f5ee3e636665db87cf74b202e276a37691106a71c411b96291c82202e7699cf71d43c061e6002d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
2b8f154a1ad8e38564c8eddc9f79e98c

SHA1
184408041346bbebcb6127ae1cf1b756c3e8b5fd

SHA256
607a7b2d77cc24953f760e41853852bc7df90580f76d60a2818cc755cf7a12b5

SHA512
634b49a51f0098ca41a208f3b95b85e19bcc87951f528d750afa1d132e2b6beceea52f5dd8ca358a8d9ef898087a55fdebfcb8fc60d8a1ff53066c2296637bd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
f91fc95695dab4e1936040fca00072e5

SHA1
c903e7a3cfee0f17845aeae85a43bcb0acb4c4f3

SHA256
d85a63fb29a2d4a21d9b925152298c03c82d29c12234c8c9a4d1218784d7d072

SHA512
5cbfa16c213449b1dc2e0cfbef16408a3e6bfb653f888695614c17012cb66d38eacdce306cbeec7d6938349d741cbcae758d8d80a1c9738187c77c613508e308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
499aec6aa1b1af936cf30acdd1fefc94

SHA1
4210c260bdf56ef75107337df4c4f4969bcf7ec9

SHA256
e318e3546eba56dc32386025d78182203da5a485c5663044f5f126a32614bc49

SHA512
966d6083cf9ee876e322f2af9a9ad864d4bfd71aa599f1e1c97e96a2d2a548947088f54a37ae408195914f9af2f722b5a3b37333e29ce23006e10daf14d3b9d2

Download Submit
memory/3480-7-0x0000000002A70000-0x0000000002AE9000-memory.dmp

Filesize
484KB

Download
memory/3480-16-0x0000000002A70000-0x0000000002AE9000-memory.dmp

Filesize
484KB

Download
memory/3480-6-0x0000000000720000-0x0000000000723000-memory.dmp

Filesize
12KB

Download
memory/3480-4-0x0000000002A70000-0x0000000002AE9000-memory.dmp

Filesize
484KB

Download
memory/3480-3-0x0000000000720000-0x0000000000723000-memory.dmp

Filesize
12KB

Download
memory/4584-14-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download
memory/4584-0-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download
memory/4584-25-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download
memory/4584-26-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download
memory/4584-31-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download
memory/4584-36-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download
memory/4584-48-0x0000000000720000-0x0000000000822000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing