eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182

General

Target

eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
Size

536KB
MD5

28c02719f2de6293661a4b2a6d8a37cc
SHA1

0ce348381bd019aed4c9a0fbc52ec9422cdb536c
SHA256

eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182
SHA512

bd6e761f7dc12e45b7f8e0d1baf5c1920d40af697a87805378c2fc180ae02dbe0d5b91c2c5440f04e973e2878b08e91d52752d24e73ea3c313d71940b3dcd68c
SSDEEP

12288:Lhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:LdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4600-0-0x0000000000480000-0x0000000000582000-memory.dmp	upx
behavioral2/memory/4600-10-0x0000000000480000-0x0000000000582000-memory.dmp	upx
behavioral2/memory/4600-24-0x0000000000480000-0x0000000000582000-memory.dmp	upx
behavioral2/memory/4600-25-0x0000000000480000-0x0000000000582000-memory.dmp	upx
behavioral2/memory/4600-30-0x0000000000480000-0x0000000000582000-memory.dmp	upx
behavioral2/memory/4600-42-0x0000000000480000-0x0000000000582000-memory.dmp	upx
behavioral2/memory/4600-66-0x0000000000480000-0x0000000000582000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4ec0f0	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE
3500	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
Token: SeTcbPrivilege	4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
Token: SeDebugPrivilege	4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
Token: SeDebugPrivilege	3500	Explorer.EXE
Token: SeTcbPrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3500	Explorer.EXE
3500	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3500	4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe	49
PID 4600 wrote to memory of 3500	4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe	49
PID 4600 wrote to memory of 3500	4600	eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe	49

C:\Users\Admin\AppData\Local\Temp\eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe
"C:\Users\Admin\AppData\Local\Temp\eba438a8985ab06c32ebd12efef677d63d016a42255054212817712d27fcc182.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
d85769773d72bde074bd3ee7fbea5ac9

SHA1
328f6f59dfe3b8e5c77892c99e510a825a98b57e

SHA256
1d7af3b6f2f8d19ef3b50a5e7e56eeabc19e1d9c23e526fe9b6c6d959bcc9f81

SHA512
35fc244d41d270d2b4d321fd5695ba77f55c9159a6a8c9661cdaa624f54197ba5c5045bc6e3d985b33b6caa16b0e8ebc6ad18c719d594591174b61de1c74955d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
1056eb58c3581be02d1d4430f2007fce

SHA1
665c3a7f4ad8c58993807199e3b0e56f7f53ad1f

SHA256
ad59bbc6177f7bd13a2c6cf3fc7af9550fac13cdc81519c7d2e9ab35fe11abd3

SHA512
9b522f941a78913d4e2a7e30a0412cc919607a709c0f712716b140099a7949ee41cbf9c993dc878b45e581f529c1e9c360bd61f0ea85561137ab605588881f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
605ca4805202d7179b29a8d71683c265

SHA1
0d05549879b385fa2b794f9e2ef34eb233d52abb

SHA256
86865a5efe498620b083083040ee2edfaa28182f5af934d8d5ac48063d3f7750

SHA512
60939088d1f5ce9da8e4d299ff523ae83e4c75a2b463b79694386216556a81526c547292358cd3fb210627898649fa3aee206d1c9e5814f39a542a616e2fe790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
85b2e05b163f8456b5ebb7b413ff2f02

SHA1
f33465c9a1ebb4c5cf083e7f9e12fefdb4503c53

SHA256
1d26469eacb7e4e332b1acdd007576e580b7265cb094237b98f6cc7cc158419f

SHA512
852ac9ace014b39534aae95ba2206a650cf7fd3a0ea04af98de3819e1193e0dd99a457ee1fc564bc9edf04e36cd81ccbc0825300818314948811edbbe4f659bc

Download Submit
memory/3500-3-0x0000000002DB0000-0x0000000002DB3000-memory.dmp

Filesize
12KB

Download
memory/3500-15-0x0000000007630000-0x00000000076A9000-memory.dmp

Filesize
484KB

Download
memory/3500-4-0x0000000007630000-0x00000000076A9000-memory.dmp

Filesize
484KB

Download
memory/3500-5-0x0000000002DB0000-0x0000000002DB3000-memory.dmp

Filesize
12KB

Download
memory/3500-6-0x0000000007630000-0x00000000076A9000-memory.dmp

Filesize
484KB

Download
memory/4600-10-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download
memory/4600-0-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download
memory/4600-24-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download
memory/4600-25-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download
memory/4600-30-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download
memory/4600-42-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download
memory/4600-66-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing