c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1

General

Target

c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
Size

536KB
MD5

af8928ec40d1b33602e8934ae5b1b399
SHA1

67587c9ccf4ddebc169d4a035b2fb2e64fc66b88
SHA256

c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1
SHA512

ed36d891217094a3718eff934c208457874767ff75f37dc7190e5c86b62a1a1d6862012228d2fcbdc0b039b2f5ecf35e3a36f846c0ffce2768e5aaaf9989f950
SSDEEP

12288:Nhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:NdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/756-0-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-187-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-386-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-387-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-676-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-822-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-828-0x0000000001330000-0x0000000001432000-memory.dmp	upx
behavioral1/memory/756-849-0x0000000001330000-0x0000000001432000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cf168	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
Token: SeTcbPrivilege	756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
Token: SeDebugPrivilege	756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
Token: SeDebugPrivilege	1380	Explorer.EXE
Token: SeTcbPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1380	756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe	10
PID 756 wrote to memory of 1380	756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe	10
PID 756 wrote to memory of 1380	756	c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380
- C:\Users\Admin\AppData\Local\Temp\c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe
  "C:\Users\Admin\AppData\Local\Temp\c98935aff24fe7949553d57dd3a3d232653cc06fb03f0c7e18224c99fa6f09e1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
36KB

MD5
0ee8ed9e9b8a755025dec48d4ac7e3df

SHA1
4c77e77aac7383a25c1cc7f61cb24c51aae7a861

SHA256
b22089ee4f8734d72737e3630008371ef1e9f8b36523e9e8a63b3799b3e74161

SHA512
4c15bb0d34f61655cc54326eb84e840c3d386837aad6078a1ddb2e4cafee9da38ca77b6d192ff349bcfdc7210e8181515621285e057afe3bcb4263fc93f28e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7faae99f095b1734b2fb51a0c5183029

SHA1
d6735e89c7272723c125d50e065806eeb54bca71

SHA256
b375a848c5c2e9116521dc523860d53421511625259c75f4f48b11862bd31f66

SHA512
e7796d1cbcaaae9d1271c7f44b185d7b2e6959a6b1d74bb25ee7834423d3c6040b41486cf09462a1a4b766b75855c7de50ae589adca2eff9a86d0248474e61ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
46d283ad22c349adc825cbcf2f94c886

SHA1
478ca5166b23cdf2f30857a8e750634fb1885678

SHA256
23c6a108b260eccf03d80e5f3d541399aadf73f0d824ed3028ac9e4df479981f

SHA512
6935fa6f486f209c77a6610d47d97347a8a4fede6ffdae7f6e447193261d1cbf12efd8e9f322a2722eea5d48ed709722984cd581fb3220221c16aed5c97e3a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar286D.tmp

Filesize
11KB

MD5
a33aa822153b015bdb0468b1ee1f35d6

SHA1
9c27fc4e0170a34b55875675f3911eb881f166c8

SHA256
e337b97fa728b582369775b612b4ee31f2b2d48ac2fd92744b2c84b14c996507

SHA512
8c13bd57fa76fa266fa5de5c2caa32e6c83bccd0c81568936cdf7dcf02b065dc9665b2d7ecc076e30ad9df7040b2f9b3fa105f4d181fb562558a47ecc6c096c9

Download Submit
memory/756-0-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-187-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-386-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-387-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-676-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-822-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-828-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/756-849-0x0000000001330000-0x0000000001432000-memory.dmp

Filesize
1.0MB

Download
memory/1380-6-0x0000000004A40000-0x0000000004AB9000-memory.dmp

Filesize
484KB

Download
memory/1380-3-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download
memory/1380-285-0x0000000004A40000-0x0000000004AB9000-memory.dmp

Filesize
484KB

Download
memory/1380-4-0x0000000004A40000-0x0000000004AB9000-memory.dmp

Filesize
484KB

Download
memory/1380-5-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing