7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b

General

Target

7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
Size

536KB
MD5

d13107943dcc29c0b0706f778669d5a4
SHA1

c4c12f9db5746a446f30bdf0f8d7a51ee3ae9656
SHA256

7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b
SHA512

b56b3f34ace68f979e5062f0667793856f6fc4301e6b4fa11d42fdbd1e656076c3f6afff1a8c41682b5281ae40f2df5e88cba98920f15d8bbd20c9562bf4369c
SSDEEP

12288:4hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:4dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2192-0-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2192-14-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2192-25-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2192-27-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2192-30-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2192-44-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2192-68-0x0000000000FE0000-0x00000000010E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\258720	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
Token: SeTcbPrivilege	2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
Token: SeDebugPrivilege	2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
Token: SeDebugPrivilege	3512	Explorer.EXE
Token: SeTcbPrivilege	3512	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3512	2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe	67
PID 2192 wrote to memory of 3512	2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe	67
PID 2192 wrote to memory of 3512	2192	7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe	67

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512
- C:\Users\Admin\AppData\Local\Temp\7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe
  "C:\Users\Admin\AppData\Local\Temp\7b51e2ea395b509fee0213088cab74d8ed4f9f122e8603174cfd0f533cf5ac7b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a039206bc8b0a874e2c0b9877f419245

SHA1
53dd769d695629234c9139befe5d904ea397499c

SHA256
9feced339ad79d6e5f20642352e69a8e55b25be51d9a68fc7f517c2bfce79636

SHA512
dfedf8e3d6e08c3cb845c7579548bd76e122764f4c9e697f7991bad5ce02fdf8f02955251015ecef80d4353042823224da8c973fbd5b559c203e3bf4bd9f77ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
89055fa8bcfc5862280658b383fb2616

SHA1
f62738d81081c7a40b9f2428eb49c68bd923753e

SHA256
647c42614e288f25320a3164a014c1056d4fdd34adbf2dbad933d87dbcd485b0

SHA512
6d6942b1a9ae503a189b6d84d7f96f663bd1fd803cac429dc2d6fbb2a2b937c8054a9a9d1b8ab2a65dd844fc17db67d37f3d681016166256f2f94769359b21b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
8757999667f33376d239d3d4a9b1faef

SHA1
e25bc07d42ce99d4021e59d1632898b2fb979349

SHA256
19366fe8bd8e66b3aeea9622e9368b07fb16e9f13c48b81d9131034fb194f41b

SHA512
c338ed9d23c739acc5fee81b85c3a6755cbb1ef6d229b5d7e0a3d2927ea2280baf92c1e11e28ab70b937fae86bff70ac62bb898fa0f3c0a6084a39eb429b3a46

Download Submit
memory/2192-25-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/2192-14-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/2192-0-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/2192-27-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/2192-30-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/2192-44-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/2192-68-0x0000000000FE0000-0x00000000010E2000-memory.dmp

Filesize
1.0MB

Download
memory/3512-3-0x0000000002BA0000-0x0000000002BA3000-memory.dmp

Filesize
12KB

Download
memory/3512-16-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3512-6-0x0000000002BA0000-0x0000000002BA3000-memory.dmp

Filesize
12KB

Download
memory/3512-7-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3512-4-0x0000000002BA0000-0x0000000002BA3000-memory.dmp

Filesize
12KB

Download
memory/3512-5-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing