188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d

General

Target

188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
Size

536KB
MD5

9166ab4af3b73058b50e386f208a1872
SHA1

4acb2d8174aa42d8fe98bae46b4fe1da9115b1d9
SHA256

188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d
SHA512

5933bcff2bd677cd230ada15e6de34eab929792735b3801161f1ea0b78ef19ecce052625dadeb7188668b053ba6cc2ed6b1ca25a2605683ee891d374a6633da6
SSDEEP

12288:ahf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:adQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/396-0-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/396-13-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/396-24-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/396-26-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/396-31-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/396-43-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx
behavioral2/memory/396-67-0x00000000007E0000-0x00000000008E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\6c798	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
3424	Explorer.EXE
3424	Explorer.EXE
3424	Explorer.EXE
3424	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
Token: SeTcbPrivilege	396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
Token: SeDebugPrivilege	396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
Token: SeDebugPrivilege	3424	Explorer.EXE
Token: SeTcbPrivilege	3424	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3424	396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe	73
PID 396 wrote to memory of 3424	396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe	73
PID 396 wrote to memory of 3424	396	188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe	73

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
- C:\Users\Admin\AppData\Local\Temp\188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe
  "C:\Users\Admin\AppData\Local\Temp\188271cb9e6c5b966bcc3bbd9b203d0fe0285f73076eb800e1fd62f234b4110d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
67bd58d5b7ee6db920e161c535aa10af

SHA1
63cc6554ede3c99b34e0d8a90b8a26ad940f96d8

SHA256
9b29aae0604c119859cdf7c81256639cf3e3f5a7c0be0082cca747c32519733c

SHA512
c72437aebb5a916747a9a89aa81c46cc9a1c3bd8bb4b8d1e481901ca8d5331d519cf8a5cdbc00f90499efce5143671296f3a72551acf120651c551ca6cd31b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
6f714f267ec3e975e2a45b305c351455

SHA1
e087964a0e255058648fcce4eafbf04b2223ff25

SHA256
8dde8c112a6fec4d994bc0e4db3c8b79bd476605f6e5a60f266208913c2cbd38

SHA512
cc5f0025de3b9e875c2f2738ab1efbe9097008ba1a7e9ec271ff04780aab339af68f90188a75e2b991a09cbfb94f72ea96e50962f74dc71ca5e2349f7d3ea9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
58a8be77d5cea6fcddd1c73aae744bc2

SHA1
13bbc0c902b6a47f6f3ee2a8ae9eda2655cbfa77

SHA256
af06686e294f85a1d38b678d830680961436154b5f141d67e3794930ef319efa

SHA512
2d28776e475546efda9544c5bd459e1e67a12e77addb65dafa6f0691fe7cb1c732c390a2a448f406513df37d7a685bae722a980b310ae6dfe595d6d28de6e904

Download Submit
memory/396-26-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/396-13-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/396-24-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/396-0-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/396-31-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/396-43-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/396-67-0x00000000007E0000-0x00000000008E2000-memory.dmp

Filesize
1.0MB

Download
memory/3424-15-0x0000000003340000-0x00000000033B9000-memory.dmp

Filesize
484KB

Download
memory/3424-6-0x0000000003340000-0x00000000033B9000-memory.dmp

Filesize
484KB

Download
memory/3424-5-0x0000000002EA0000-0x0000000002EA3000-memory.dmp

Filesize
12KB

Download
memory/3424-4-0x0000000003340000-0x00000000033B9000-memory.dmp

Filesize
484KB

Download
memory/3424-3-0x0000000002EA0000-0x0000000002EA3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing