cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3

General

Target

cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Size

536KB
MD5

944a33ef326e4268557d0ab9aee354fa
SHA1

acbee8143230aed412d602b6a8cadf7bc4354d6f
SHA256

cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3
SHA512

34eeba9af1e598dd9648b1621234b062f8ee09ebecc62e90f8cb67eb8dffc9dd8f1b9cb53709a26901113040dfc127bb9955d9994fd4240937312fcd9d0bf29c
SSDEEP

12288:7hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:7dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4500-0-0x0000000000080000-0x0000000000182000-memory.dmp	upx
behavioral2/memory/4500-14-0x0000000000080000-0x0000000000182000-memory.dmp	upx
behavioral2/memory/4500-25-0x0000000000080000-0x0000000000182000-memory.dmp	upx
behavioral2/memory/4500-26-0x0000000000080000-0x0000000000182000-memory.dmp	upx
behavioral2/memory/4500-31-0x0000000000080000-0x0000000000182000-memory.dmp	upx
behavioral2/memory/4500-43-0x0000000000080000-0x0000000000182000-memory.dmp	upx
behavioral2/memory/4500-69-0x0000000000080000-0x0000000000182000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4d0aa8	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Token: SeTcbPrivilege	4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Token: SeDebugPrivilege	4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
Token: SeDebugPrivilege	3492	Explorer.EXE
Token: SeTcbPrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3492	Explorer.EXE
3492	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3492	4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe	43
PID 4500 wrote to memory of 3492	4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe	43
PID 4500 wrote to memory of 3492	4500	cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3492
- C:\Users\Admin\AppData\Local\Temp\cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe
  "C:\Users\Admin\AppData\Local\Temp\cf12b620c2fb2c5ff421a995118c01287e83c1506e336fe64ae5aafa58603fe3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
67bd58d5b7ee6db920e161c535aa10af

SHA1
63cc6554ede3c99b34e0d8a90b8a26ad940f96d8

SHA256
9b29aae0604c119859cdf7c81256639cf3e3f5a7c0be0082cca747c32519733c

SHA512
c72437aebb5a916747a9a89aa81c46cc9a1c3bd8bb4b8d1e481901ca8d5331d519cf8a5cdbc00f90499efce5143671296f3a72551acf120651c551ca6cd31b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
df76b9a97aa64cd48e77ea35a574469e

SHA1
8197693efbb869f8e49bdfef767ee05eeb2f2e48

SHA256
c09b5b84912e64da51e5a6bda315cd2d4ba17293d4a7705cb5d6cd9ad72bba6d

SHA512
2c3ae973b4450252e3c8437d486ceaa168e810b0f19580ebcd814f8d9e952bc9917eb9aa0564040d67a87317bdf3bb03ca086ef906c93708b5d7f3da6bcfe6bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
49dcbec6ddcad284b2403c35881cfd96

SHA1
ac7b0fb345dcbc0c7f7b474309a7692513746a0b

SHA256
fc313fe779ceae9f70321fd217966bed00cf6fb50d2b2c564bdd40a6135fd1d4

SHA512
981288cd704ce04e7a0f4b5d1d9869067293e0807f24b734274a6a012ba7331ba7d7990bd0a167c26a77785cc12e7d791789e81d68e5304ad78196a837d49906

Download Submit
memory/3492-7-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3492-16-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3492-3-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/3492-4-0x0000000003270000-0x00000000032E9000-memory.dmp

Filesize
484KB

Download
memory/3492-5-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/4500-14-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download
memory/4500-0-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download
memory/4500-25-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download
memory/4500-26-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download
memory/4500-31-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download
memory/4500-43-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download
memory/4500-69-0x0000000000080000-0x0000000000182000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing