d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe
Size

274KB
MD5

16c5fafac555c013909728a9982ac7a9
SHA1

52231af2ecabfd7343b9aed141122312dc40944b
SHA256

d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d
SHA512

a77f8442696e0865f35385e65c85f68c9ea7b60a0d8995977ac5108255e8f778440e490bde60089f504bfba67412a8b6cd67e0b33827ea0bbfc7488ded3a1a86
SSDEEP

6144:tbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:tPcrfR6ZnOkx2LIa

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000E50000-0x0000000000EDC000-memory.dmp	upx
behavioral1/memory/1680-3-0x0000000000E50000-0x0000000000EDC000-memory.dmp	upx
behavioral1/memory/1680-19-0x0000000000E50000-0x0000000000EDC000-memory.dmp	upx
behavioral1/memory/1680-152-0x0000000000E50000-0x0000000000EDC000-memory.dmp	upx
behavioral1/memory/1680-153-0x0000000000E50000-0x0000000000EDC000-memory.dmp	upx

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\err_1680.log	d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1680	d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe
1680	d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe
1680	d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe
Token: SeTcbPrivilege	1680	d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe

C:\Users\Admin\AppData\Local\Temp\d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe
"C:\Users\Admin\AppData\Local\Temp\d7968fa219509ffc93d04ddc78cd50b27c63c49d4c7ea24f9084b13b8f7e729d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9563e43364e2a4ad932d0ce584945fd8

SHA1
f0b722a3be4e235299e8e0d326c640eb78e9c77c

SHA256
08df646de2b4c2af66be68f4cf65c9f6ec5b76a14ef0ca30c775492c2a4ebc44

SHA512
0d5b6b4ae52b9f93889f4fcfb47f2e6de3675157ff464f7f7a187c5eaad97e36ad10462ee94dc530492e112eb1e913f667c6174584c00a4effa54897e8a1b616

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFE.tmp

Filesize
79KB

MD5
71d7b4c5d826c08166d4fc4793eb157b

SHA1
d7b760c922216239f2439acc44f94cb6c050cede

SHA256
39a7c00ed534d14b41c779f9af81c0b0e5cff37cd660fd73ac530771862bbbb7

SHA512
883e9f7d0e2b59416504aeb9705a2b4479b5620693ed3e41a49acf980c63398d257d6a7b62757c2b0a5219392f74d4dfe6379cdf88bfe7d980b5fb82a44c4b23

Download Submit
memory/1680-0-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download
memory/1680-3-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download
memory/1680-19-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download
memory/1680-152-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download
memory/1680-153-0x0000000000E50000-0x0000000000EDC000-memory.dmp

Filesize
560KB

Download