60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5

General

Target

60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
Size

536KB
MD5

a4452d3f197699c1a242e17f74211c0c
SHA1

c96b9a24fcc6f68c697834974d59f36b68bb1c45
SHA256

60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5
SHA512

2f3be8e3d08bfca2623cbc4ef2a6e68a136b4b9da5647f0450ff54e1a7cb23c6ec02d40531a548ae48fb781bf2efdbee2233c79e1b4176d05663b0d6b20f1557
SSDEEP

12288:Thf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:TdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4812-0-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-3-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-8-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-27-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-29-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-30-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-37-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx
behavioral2/memory/4812-47-0x0000000000A60000-0x0000000000B62000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\526218	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE
3512	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
Token: SeTcbPrivilege	4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
Token: SeDebugPrivilege	4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
Token: SeDebugPrivilege	3512	Explorer.EXE
Token: SeTcbPrivilege	3512	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 3512	4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe	47
PID 4812 wrote to memory of 3512	4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe	47
PID 4812 wrote to memory of 3512	4812	60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3512
- C:\Users\Admin\AppData\Local\Temp\60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe
  "C:\Users\Admin\AppData\Local\Temp\60ea7df711c8619c6cab1522da6d3257bdb15bba77288e437ca1e0afdc2c5db5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
63e19632cc36c10eb00396aa039904f2

SHA1
24a0a6f0f86dada606e59dc50da52744d85e7133

SHA256
962cf3b4006335a8ad6df47d431f36ed66c60a279fd21e0a553586ea8b739caa

SHA512
56b42014794bffc24e32e3bfe1aac056b7daafa0b836f09a7dfb64b267e53cde4f01a16557786f6af7661ff9eea93fc6f38d4f94925a82dd679727a1d3c9acf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
938B

MD5
c3a1ad003ce7168886937c70919b481b

SHA1
70e982db3798fb47d64ae1a02cfc37998e089b5a

SHA256
37d97381e7d6823f1342987ef5a056200b512ef69b98020617986b0ff39f0a50

SHA512
c8a0da1665552f53b79fdf7514d09115c78ec311ab90721053aa1690901496ea94e6bc79dd8eb92663410825a6bd3af413e7550ebc263326fa4f7917eee83cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
e3f2fd3ca330e2969e36c35dccb81efe

SHA1
9fb5dba5ad39b8c001127f2eee7ea6fde8e81db2

SHA256
8564ff280bbd437c3be675a1276d8bd4cc9fe9671043652313cf95e44c918a3b

SHA512
ab79e140ad703bc82f640e37c006f1e7a87dab433df8ff093ada5ed4d8fac2ada4c78d0d1825419af0d0e79e0b1247a77616ea1df77af30a3f345887001242e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E

Filesize
520B

MD5
4ea6265b6dfbe95a749223d6248bda6c

SHA1
a1bc394b393c8c04521751551015c7af3f698f14

SHA256
551ce5fd50782ae607f0dd0982ccd99e9e901749477cd1dbeb0b3c67b05d3f30

SHA512
3adddeeca9747a4fd66e34ac0cdf7327b8448259ee1861bb6849130e994ffe4f964f2c7840f82603b7a3d760f05fd10c9a96f6db9428155fd218c8c39eaafcfb

Download Submit
memory/3512-18-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3512-5-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/3512-9-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3512-6-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3512-7-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/3512-4-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/4812-0-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-8-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-3-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-27-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-29-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-30-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-37-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download
memory/4812-47-0x0000000000A60000-0x0000000000B62000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing