9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8

General

Target

9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
Size

536KB
MD5

b26186f13f6a58a245c134572adf5702
SHA1

3d2c3443baa2c1c43ea54a988178b35cf154fe61
SHA256

9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8
SHA512

00f98705fda59b4e238b128eaa25aed24b7375249368f934a966831db98fe6d4fb3577092ee5a4c514668036d5fee2d14acaeab17943fb08a472e42a21c4d464
SSDEEP

12288:7hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:7dQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5048-0-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/5048-13-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/5048-24-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/5048-26-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/5048-31-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/5048-43-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx
behavioral2/memory/5048-67-0x0000000000E10000-0x0000000000F12000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\566c70	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
Token: SeTcbPrivilege	5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
Token: SeDebugPrivilege	5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
Token: SeDebugPrivilege	3512	Explorer.EXE
Token: SeTcbPrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3512	5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe	48
PID 5048 wrote to memory of 3512	5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe	48
PID 5048 wrote to memory of 3512	5048	9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe	48

C:\Users\Admin\AppData\Local\Temp\9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe
"C:\Users\Admin\AppData\Local\Temp\9950513d1f19db9c6f3d3ae1e7342240fc8d93a300c8316a7451e6de76f2b6c8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
0f7284d581cc2e23607d4c9819717e19

SHA1
994bc92c6c7bdb08851b4b158f6169c6f4386bf1

SHA256
bebc36ac5a37a509572f4d0fbebeee65b65eacb175878e850e8131c0ecc824c2

SHA512
088eb346e5562637256c8544b76955a5678473bc74785276bfb1c375ea605011f26a460f2730575350100e00ba0e86374eb7ccabf855836219ff00739f0e6c97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
bad85b6f3774d10450c93dcc623bb157

SHA1
559474f915cabf475a41e0b18711eb6db66565e9

SHA256
fafdcda48536ab814becac112c7509ade1be2153bb8fafe487299fa0f759febf

SHA512
d241c2c940a749f157600059e989584107ba32c8663d32dcdd372e1cb21d308313ddf8f1634bff4d76c5fede75916e77a8ec02579ba1842f58bca95afc3cb650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
ebf62189c4cb8c83e6144a46a75648bd

SHA1
43a56a9b9dd7aaeebc6de1bd033608a5b6df930a

SHA256
14a257a5a4d86e74d8622b555073bcc5bfb0124c89e39bfedfb4f9a020ba5a1f

SHA512
fb5488eeb4b3e2961bef0c3f038fbbba07995c6a3d26b5213a4787d5d6056a68f5c09e8a408e347bd55617fb9a27ffc320228b8445f19805924a26794b6add9f

Download Submit
memory/3512-3-0x0000000002BA0000-0x0000000002BA3000-memory.dmp

Filesize
12KB

Download
memory/3512-15-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3512-4-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3512-5-0x0000000002BA0000-0x0000000002BA3000-memory.dmp

Filesize
12KB

Download
memory/3512-6-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/5048-13-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/5048-0-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/5048-24-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/5048-26-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/5048-31-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/5048-43-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download
memory/5048-67-0x0000000000E10000-0x0000000000F12000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing