cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3

General

Target

cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Size

536KB
MD5

944a33ef326e4268557d0ab9aee354fa
SHA1

acbee8143230aed412d602b6a8cadf7bc4354d6f
SHA256

cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3
SHA512

34eeba9af1e598dd9648b1621234b062f8ee09ebecc62e90f8cb67eb8dffc9dd8f1b9cb53709a26901113040dfc127bb9955d9994fd4240937312fcd9d0bf29c
SSDEEP

12288:7hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:7dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-0-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx
behavioral1/memory/2508-113-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx
behavioral1/memory/2508-404-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx
behavioral1/memory/2508-548-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx
behavioral1/memory/2508-692-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx
behavioral1/memory/2508-697-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx
behavioral1/memory/2508-711-0x00000000012E0000-0x00000000013E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2af018	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Token: SeTcbPrivilege	2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Token: SeDebugPrivilege	2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeTcbPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1208	2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe	13
PID 2508 wrote to memory of 1208	2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe	13
PID 2508 wrote to memory of 1208	2508	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208
- C:\Users\Admin\AppData\Local\Temp\cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
  "C:\Users\Admin\AppData\Local\Temp\cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afb09a6a6812e162d616c38c10527d31

SHA1
03473a64ea0359b18c9c2a8f628b66e9cc635718

SHA256
14c5765fd0419d05d1f8cab12ad677a4f9deaf29e6c7bec0169143eacfcc046e

SHA512
33c0cce3df53d94ae48523ca6be9cbd1594edaa75e6e8f99fb13a1966f6aea26bdb4ad0420282761633553ee1c793355e92119eab2f2d1429fbd08b7430b97af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c6e8afd7ba30a2d5e344822e31f05d9

SHA1
cb12a85f6b0b4b856523875c5b407c83bdc47fc8

SHA256
0256da1b24707e7580f9b481ba7d17d3c0d6f8a2111bbab38d34fc829aec2caa

SHA512
4e2f2d897190194cf2c65c84a1aea04b9eba3339dfb0839c0fd8a7a445cf0d378e34be59be7b747db573fd4935977d2dd11fa33635bf7a08488b7ba80aab1a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b6045cd04a9117e0ad07ac59d3996be

SHA1
fa1c92227775533ca55c6de848c0fd345dbdcecc

SHA256
ebf9513f87b0e1b5df4ecfb3330fae3cab409799312b3b598990113406b7b897

SHA512
1bcf1a33a41dbee612b98eec88f6d9573756482ba68977959d8e03b06f89d14c8e3f8b42bfc219c5ff599dacb85b8643b83ff5ebf2e6a8263511754984db51ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11fede5de64b5825768b17e444d40939

SHA1
9226ff989576164c270b053f4cfada9fdcfb4686

SHA256
85cd7fa8b34784d8c1ba22473a52626979cb1a5244466476e816fc6bc713cbec

SHA512
9d7e4a17291878b0b89240efc87f400d18d4337c453b366999ec794c5229fd360a6cb5b36e4743bef71f4852574125cdbd633f4530634f663438ca4ab667f385

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca2682535e34cbc845c00a804e2dde23

SHA1
34d7bfc42ebf27851f9d55a2fc4ea2da9bec07ce

SHA256
278e6791a658efae16098c519dd8db42e6663d191ded2791ccccc0d1f34cf7f9

SHA512
fada741336bde34b621d4a7425fbf4fa09e3f5339260f01016780b3a8a7f4384cd7e925f036fb966d06c7d0b07cb9e552328005faf7cee199f3fdb218ed12fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab624E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62CD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1208-178-0x00000000041F0000-0x0000000004269000-memory.dmp

Filesize
484KB

Download
memory/1208-5-0x00000000041F0000-0x0000000004269000-memory.dmp

Filesize
484KB

Download
memory/1208-4-0x0000000002B60000-0x0000000002B63000-memory.dmp

Filesize
12KB

Download
memory/1208-3-0x0000000002B60000-0x0000000002B63000-memory.dmp

Filesize
12KB

Download
memory/2508-113-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download
memory/2508-0-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download
memory/2508-404-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download
memory/2508-548-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download
memory/2508-692-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download
memory/2508-697-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download
memory/2508-711-0x00000000012E0000-0x00000000013E2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing