023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852

General

Target

023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
Size

536KB
MD5

8d4a34b8012c8914256797186a0bdcd7
SHA1

126288b987a1b7fcc41925bf8a1c49bc374deabd
SHA256

023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852
SHA512

eeee4534c6d97b2eb3861a62d877aafb5cfbf42cba82347bbad658570f4a9243c80184510672a4a9de1f1bbb8b029cbe9a123c58ed15e14c18c8f1da6a6c5510
SSDEEP

12288:8hf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:8dQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4224-0-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-1-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-4-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-10-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-21-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-29-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-30-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-33-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx
behavioral2/memory/4224-45-0x00000000000E0000-0x00000000001E2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\485100	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
Token: SeTcbPrivilege	4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
Token: SeDebugPrivilege	4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
Token: SeDebugPrivilege	3464	Explorer.EXE
Token: SeTcbPrivilege	3464	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3464	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3464	4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe	60
PID 4224 wrote to memory of 3464	4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe	60
PID 4224 wrote to memory of 3464	4224	023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe	60

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3464
- C:\Users\Admin\AppData\Local\Temp\023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe
  "C:\Users\Admin\AppData\Local\Temp\023894f29dcea35f94c19bd771b06da6e38a400362b4a481451146d082a5d852.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a039206bc8b0a874e2c0b9877f419245

SHA1
53dd769d695629234c9139befe5d904ea397499c

SHA256
9feced339ad79d6e5f20642352e69a8e55b25be51d9a68fc7f517c2bfce79636

SHA512
dfedf8e3d6e08c3cb845c7579548bd76e122764f4c9e697f7991bad5ce02fdf8f02955251015ecef80d4353042823224da8c973fbd5b559c203e3bf4bd9f77ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
939B

MD5
9b03ee4e781904d2f1de073990f558e9

SHA1
7f06f3e4b6993df3e78486023e3883f0096976d1

SHA256
811e540f4c979cf3dcd58d17d81dc03279a6d4f2b292013227071693046809da

SHA512
1fb9ac473c0bd643a5ac23cfbbed928fcff6288c8d2dbfd440e91b78bade0f7facb6bc2637d63b408ff6d74d52df803415695253cd47abcff853e01c36509a8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
d4012f6015106890af0605bac8d917dd

SHA1
4849e9a631f010e2bf4fcb8fcb4a4e4c740c4fb2

SHA256
1eeb7a86bbbf67cc282aeff9412137c50ddbc995d6e3d3dab293df2af6cf278f

SHA512
95fed08507c69581d93efc24edb80de31894dd43450e52ab229c788c3c2183ce0c588b530dd07ca3179b4c2586c4990ad762c9755053a78315089b1e64de074b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
c67501046b16756195d1ecb6063ce58d

SHA1
d952756eb2d85cf5fb32f8e0f44b780408c9af6f

SHA256
5be1eb5f119a0d3fb614a7b4c6cffa43d10ace5f2238fae3d9ca31c269216652

SHA512
326b9893a4e207b454042032d939f5dffbad909593e46499f42e77611466f1d3d4eb4828d61bf13ad3276826904d82f355bd3c21bcf4acd7b92c370f3e10da04

Download Submit
memory/3464-6-0x0000000002CF0000-0x0000000002CF3000-memory.dmp

Filesize
12KB

Download
memory/3464-7-0x0000000008C60000-0x0000000008CD9000-memory.dmp

Filesize
484KB

Download
memory/3464-9-0x0000000008C60000-0x0000000008CD9000-memory.dmp

Filesize
484KB

Download
memory/3464-8-0x0000000002CF0000-0x0000000002CF3000-memory.dmp

Filesize
12KB

Download
memory/3464-5-0x0000000002CF0000-0x0000000002CF3000-memory.dmp

Filesize
12KB

Download
memory/3464-18-0x0000000008C60000-0x0000000008CD9000-memory.dmp

Filesize
484KB

Download
memory/4224-0-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-21-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-10-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-4-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-1-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-29-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-30-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-33-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download
memory/4224-45-0x00000000000E0000-0x00000000001E2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing