17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1

General

Target

17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
Size

536KB
MD5

a2be503adb0df940a3b34bf1ec3d7105
SHA1

9f9dfc52171bac00afa168ad693e0ff7e566ce66
SHA256

17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1
SHA512

a841187abd913a39712126713ab01c228c6f534a288425adfb4db4082a2d8d9f2d78ecf24e0330249ab6cb8b18548291a1fad6c573d55aefc7e7d1595e529fe3
SSDEEP

12288:ghf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:gdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4420-0-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-7-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-20-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-25-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-26-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-31-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-45-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx
behavioral2/memory/4420-62-0x00000000008C0000-0x00000000009C2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4bac08	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
Token: SeTcbPrivilege	4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
Token: SeDebugPrivilege	4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
Token: SeDebugPrivilege	3508	Explorer.EXE
Token: SeTcbPrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3508	Explorer.EXE
3508	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 3508	4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe	56
PID 4420 wrote to memory of 3508	4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe	56
PID 4420 wrote to memory of 3508	4420	17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3508
- C:\Users\Admin\AppData\Local\Temp\17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe
  "C:\Users\Admin\AppData\Local\Temp\17366c6589ff276d6a3e7a941afa18fdb9249464d93641544fced280c6da9cd1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a039206bc8b0a874e2c0b9877f419245

SHA1
53dd769d695629234c9139befe5d904ea397499c

SHA256
9feced339ad79d6e5f20642352e69a8e55b25be51d9a68fc7f517c2bfce79636

SHA512
dfedf8e3d6e08c3cb845c7579548bd76e122764f4c9e697f7991bad5ce02fdf8f02955251015ecef80d4353042823224da8c973fbd5b559c203e3bf4bd9f77ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
1056eb58c3581be02d1d4430f2007fce

SHA1
665c3a7f4ad8c58993807199e3b0e56f7f53ad1f

SHA256
ad59bbc6177f7bd13a2c6cf3fc7af9550fac13cdc81519c7d2e9ab35fe11abd3

SHA512
9b522f941a78913d4e2a7e30a0412cc919607a709c0f712716b140099a7949ee41cbf9c993dc878b45e581f529c1e9c360bd61f0ea85561137ab605588881f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
ac8e19220df193cd54b2c5e41e2d1dd9

SHA1
40b313c659e74030690ee1383abc838626145b15

SHA256
9a943ee676857905d17347013fe376dbc29f3bc7dae79081e17ecaf6fe421b8f

SHA512
0ab591c8b8f318af17ed2ed9c6da538aaf6fbde244885441e0b341b745a7869700bb3ecfd931f053dd6034c4e0f7866763f6167bd8e63177bd61192cc63d4057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
38dff73c4c6b5f8fa0bede285a87658c

SHA1
7db0e5541eaa2f27934d577fafc996d7d29cc678

SHA256
732c7c26777f12e1a3a4b98455dfd368970a7c91ae1c10cdd7d110f0f9379852

SHA512
02cf986e265e3fb7e5c5a7f7a3dd432d40a3414303d578d52739c3ca1b15b5d214bb40da9a42a993595c2531fd9f07273ac2f36dc03cd45b5c7c44e46ab7bbae

Download Submit
memory/3508-3-0x00000000029D0000-0x00000000029D3000-memory.dmp

Filesize
12KB

Download
memory/3508-9-0x0000000002A60000-0x0000000002AD9000-memory.dmp

Filesize
484KB

Download
memory/3508-4-0x0000000002A60000-0x0000000002AD9000-memory.dmp

Filesize
484KB

Download
memory/3508-5-0x00000000029D0000-0x00000000029D3000-memory.dmp

Filesize
12KB

Download
memory/3508-6-0x0000000002A60000-0x0000000002AD9000-memory.dmp

Filesize
484KB

Download
memory/4420-7-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-20-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-0-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-25-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-26-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-31-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-45-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download
memory/4420-62-0x00000000008C0000-0x00000000009C2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing