9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174

General

Target

9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
Size

536KB
MD5

6b37808dd42aa1c5e86fcc6aa81b0899
SHA1

00a92d7edf34b527c5f4f0c293b91d1c08e9ed97
SHA256

9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174
SHA512

f3fb0f34bb315710737f5ba2d58dd383ee3ac50f8a127072addcd537bfbe0c135ee246f431f79ffb62fd6ac8168f1ac2ded8c61af9cae04c30d700ddb80fa364
SSDEEP

12288:7hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:7dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1404-0-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-8-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-19-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-20-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-26-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-32-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-34-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx
behavioral2/memory/1404-39-0x00000000006B0000-0x00000000007B2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\180978	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
Token: SeTcbPrivilege	1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
Token: SeDebugPrivilege	1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
Token: SeDebugPrivilege	3452	Explorer.EXE
Token: SeTcbPrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3452	1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe	52
PID 1404 wrote to memory of 3452	1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe	52
PID 1404 wrote to memory of 3452	1404	9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3452
- C:\Users\Admin\AppData\Local\Temp\9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe
  "C:\Users\Admin\AppData\Local\Temp\9c73015ede8edb04a59f394d86c0be9bd98a2dd253f70b4a94fd3230d0e1f174.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
67bd58d5b7ee6db920e161c535aa10af

SHA1
63cc6554ede3c99b34e0d8a90b8a26ad940f96d8

SHA256
9b29aae0604c119859cdf7c81256639cf3e3f5a7c0be0082cca747c32519733c

SHA512
c72437aebb5a916747a9a89aa81c46cc9a1c3bd8bb4b8d1e481901ca8d5331d519cf8a5cdbc00f90499efce5143671296f3a72551acf120651c551ca6cd31b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
937B

MD5
1056eb58c3581be02d1d4430f2007fce

SHA1
665c3a7f4ad8c58993807199e3b0e56f7f53ad1f

SHA256
ad59bbc6177f7bd13a2c6cf3fc7af9550fac13cdc81519c7d2e9ab35fe11abd3

SHA512
9b522f941a78913d4e2a7e30a0412cc919607a709c0f712716b140099a7949ee41cbf9c993dc878b45e581f529c1e9c360bd61f0ea85561137ab605588881f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
8946e5cadcd4d35bd4aeece858e36e4c

SHA1
6eee193c9a990baeca472cfd3f2f34873f4fe4b9

SHA256
dd7bc4c87ad120c256f8b2e1a1b6ffd4f04a7d280e7297e5f9af93371428e6bb

SHA512
4a1e94a7ed73abd8fd87d9232aa35b55a84a66e3d85140a94d66ceaab7b17aaa9d0289a9c6c416023e12705b5ced5abcd81c0a9d09289436629445149e4dd001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
df4222030011267d1b3a41da8b89674e

SHA1
cae09f0d0960e53187735b814988f2f72ab292da

SHA256
d99009b077e9ca189da52071d2afe36c13238f4078c1c39a62c5b60da300289c

SHA512
76dc4ccab6fb125cd4a2136413da9dfb9f5f9b722b29be3b2af040314a4d982db3d644ff31cd6ded1ece65a0b5812d25af6cd423236e592dc4a27fbf546986c8

Download Submit
memory/1404-20-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-8-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-19-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-0-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-26-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-32-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-34-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/1404-39-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/3452-16-0x0000000002750000-0x00000000027C9000-memory.dmp

Filesize
484KB

Download
memory/3452-7-0x0000000002750000-0x00000000027C9000-memory.dmp

Filesize
484KB

Download
memory/3452-4-0x0000000002750000-0x00000000027C9000-memory.dmp

Filesize
484KB

Download
memory/3452-5-0x0000000000770000-0x0000000000773000-memory.dmp

Filesize
12KB

Download
memory/3452-3-0x0000000000770000-0x0000000000773000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing