3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90

General

Target

3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
Size

536KB
MD5

a99cdbf5ecc015fe5334e7d9768aa21d
SHA1

8c79bb33035657518731de8b1dc66492bc6d950a
SHA256

3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90
SHA512

546b60a26f3547f305177760feb8a1b3d8a846cf6d4ae013e713881b843d24077e3ffd867dace1014bc7561e2f6ac49fb7188da31b6385b1995247bfcfb9115b
SSDEEP

12288:8hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:8dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4496-0-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-1-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-9-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-20-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-32-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-33-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-38-0x0000000000300000-0x0000000000402000-memory.dmp	upx
behavioral2/memory/4496-50-0x0000000000300000-0x0000000000402000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4cf920	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
3580	Explorer.EXE
3580	Explorer.EXE
3580	Explorer.EXE
3580	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
Token: SeTcbPrivilege	4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
Token: SeDebugPrivilege	4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
Token: SeDebugPrivilege	3580	Explorer.EXE
Token: SeTcbPrivilege	3580	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3580	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3580	4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe	43
PID 4496 wrote to memory of 3580	4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe	43
PID 4496 wrote to memory of 3580	4496	3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3580
- C:\Users\Admin\AppData\Local\Temp\3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe
  "C:\Users\Admin\AppData\Local\Temp\3b5c5f320e82e95087a4c4a89e5963b6c53216a76132a66528b7f0cb77f6df90.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
d85769773d72bde074bd3ee7fbea5ac9

SHA1
328f6f59dfe3b8e5c77892c99e510a825a98b57e

SHA256
1d7af3b6f2f8d19ef3b50a5e7e56eeabc19e1d9c23e526fe9b6c6d959bcc9f81

SHA512
35fc244d41d270d2b4d321fd5695ba77f55c9159a6a8c9661cdaa624f54197ba5c5045bc6e3d985b33b6caa16b0e8ebc6ad18c719d594591174b61de1c74955d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
ac8351e1fde08148575eb8e3aa580926

SHA1
29db1e551a5507ffd00d1a74fd7e8f02f8dc1836

SHA256
2b8c4036b2962fc00781a1737ddd07e9a7258a823ff7fe3fe7b6a5b35e48238c

SHA512
3cf2a4b9981e8b9126ea60e1d9fb1ae2d84e766018504184e548b7527218a3ed2436c16d858cd886f0f4906636dca8e31f567abdf0722d5d4cb7ead0d2eda734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
a23d8c718faf06bcd2e1811caffc7ec7

SHA1
93e21978042212818f8489d4a08fddd0b01f8234

SHA256
612db6575c87e77acbf0a39292237c4d029dd65e24a3ecbcc913a40bfb172bcb

SHA512
45b0f0ea35b4e8d81d1b49d3061731de8ad1cc544f008a3b874f22e3f23312bbc8f65aa4c0d0ccfeb00ecb4c40ccd485089a898c60be598d29f225d2569bfa7b

Download Submit
memory/3580-8-0x0000000008800000-0x0000000008879000-memory.dmp

Filesize
484KB

Download
memory/3580-5-0x0000000006F00000-0x0000000006F03000-memory.dmp

Filesize
12KB

Download
memory/3580-6-0x0000000008800000-0x0000000008879000-memory.dmp

Filesize
484KB

Download
memory/3580-4-0x0000000006F00000-0x0000000006F03000-memory.dmp

Filesize
12KB

Download
memory/3580-17-0x0000000008800000-0x0000000008879000-memory.dmp

Filesize
484KB

Download
memory/3580-7-0x0000000006F00000-0x0000000006F03000-memory.dmp

Filesize
12KB

Download
memory/4496-0-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-20-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-9-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-1-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-32-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-33-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-38-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download
memory/4496-50-0x0000000000300000-0x0000000000402000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing