06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62

General

Target

06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
Size

536KB
MD5

6644fc85b945ff98c865f185e3e625f1
SHA1

8519f9499476a4c1ce1707c13c9c574da32291dd
SHA256

06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62
SHA512

878d16d2ca3983280d5ba7cc0b097ddef0ef131374e190c78b735ec380c3d6767ec38bb7cfe0fcc128d43c6e100c2bc77c9293a1df752b883c3b91cc099afee5
SSDEEP

12288:7hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:7dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2484-0-0x0000000000F70000-0x0000000001072000-memory.dmp	upx
behavioral2/memory/2484-8-0x0000000000F70000-0x0000000001072000-memory.dmp	upx
behavioral2/memory/2484-25-0x0000000000F70000-0x0000000001072000-memory.dmp	upx
behavioral2/memory/2484-26-0x0000000000F70000-0x0000000001072000-memory.dmp	upx
behavioral2/memory/2484-31-0x0000000000F70000-0x0000000001072000-memory.dmp	upx
behavioral2/memory/2484-43-0x0000000000F70000-0x0000000001072000-memory.dmp	upx
behavioral2/memory/2484-67-0x0000000000F70000-0x0000000001072000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2a86e8	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
3468	Explorer.EXE
3468	Explorer.EXE
3468	Explorer.EXE
3468	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
Token: SeTcbPrivilege	2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
Token: SeDebugPrivilege	2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
Token: SeDebugPrivilege	3468	Explorer.EXE
Token: SeTcbPrivilege	3468	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3468	2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe	43
PID 2484 wrote to memory of 3468	2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe	43
PID 2484 wrote to memory of 3468	2484	06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
- C:\Users\Admin\AppData\Local\Temp\06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe
  "C:\Users\Admin\AppData\Local\Temp\06074b510d324c11e0d94414ef88ce1314b5cb0f49871ab928747ac0d344fb62.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
d85769773d72bde074bd3ee7fbea5ac9

SHA1
328f6f59dfe3b8e5c77892c99e510a825a98b57e

SHA256
1d7af3b6f2f8d19ef3b50a5e7e56eeabc19e1d9c23e526fe9b6c6d959bcc9f81

SHA512
35fc244d41d270d2b4d321fd5695ba77f55c9159a6a8c9661cdaa624f54197ba5c5045bc6e3d985b33b6caa16b0e8ebc6ad18c719d594591174b61de1c74955d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
249acb47467c23ea18b2ca6e18fe3a21

SHA1
11999a218fee4f19ace71ea490995a25369dc8ee

SHA256
8694fc8201ed8e6bc19d9721853b33484145c64ba74b6033d5d8bd987e4379a3

SHA512
3c12ac1a2404af451f9e65e1b4a411b9f26c02f12d06bc1d992929239c372d77956d4041193d9fa6bcf5b7bb18718d9288316f2fcbc00cc589e4631a31dd2a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
e687f90371ee83c39cb79c8a31a3b324

SHA1
2fec346ec124e04aea0a60cc4e0f9ae8d34eccde

SHA256
c0ac1b193867d042f32c5a573972fac5e1c821813b5195fdca940174973991f6

SHA512
ef5777dbdeaec07ba86ce4edfed85e38b37ef15ff4102fede3d3cf5843d99c8d509012c640379df1b5c63d36f492c963fe9cc7c4aa1b3f28b0fe4a9af7319ce4

Download Submit
C:\Windows\2a86e8

Filesize
4KB

MD5
bfaf668ebaaaa42efae6a40040f1e6a3

SHA1
bedc347d22817f98eff6db27bc0fe288d813f020

SHA256
90fcd981c25a34cf44f65de813cb4ff550c666a09006569960c9627be077469d

SHA512
966771de9e158bdc65f293b988cab2b5c2250403ff777f968063a95eea4f213b39ebe4239d50172c50cf37565a128019226c3d8c2351b1ad69cbc162d9abebe9

Download Submit
memory/2484-25-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/2484-8-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/2484-0-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/2484-26-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/2484-31-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/2484-43-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/2484-67-0x0000000000F70000-0x0000000001072000-memory.dmp

Filesize
1.0MB

Download
memory/3468-16-0x0000000007810000-0x0000000007889000-memory.dmp

Filesize
484KB

Download
memory/3468-4-0x00000000026E0000-0x00000000026E3000-memory.dmp

Filesize
12KB

Download
memory/3468-7-0x0000000007810000-0x0000000007889000-memory.dmp

Filesize
484KB

Download
memory/3468-6-0x00000000026E0000-0x00000000026E3000-memory.dmp

Filesize
12KB

Download
memory/3468-5-0x0000000007810000-0x0000000007889000-memory.dmp

Filesize
484KB

Download
memory/3468-3-0x00000000026E0000-0x00000000026E3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing