a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe

General

Target

a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
Size

536KB
MD5

76c560a272f628e702a6797e5e41e129
SHA1

5fea12847fdcfd24a485408f8446ba228c786076
SHA256

a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe
SHA512

bda59001ec3e8c0f313a7f006ef57c7585beef5cf1efa6b49449f295c745835a3bffe9d8b4b3095b64f1570bcf776e906264e46d824a1c6f557b526cc8944af0
SSDEEP

12288:Lhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:LdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3492-0-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-8-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-19-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-20-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-29-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-30-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-33-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-45-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx
behavioral2/memory/3492-61-0x0000000000B50000-0x0000000000C52000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3bc8c8	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
Token: SeTcbPrivilege	3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
Token: SeDebugPrivilege	3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
Token: SeDebugPrivilege	3540	Explorer.EXE
Token: SeTcbPrivilege	3540	Explorer.EXE
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3540	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3540	3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe	21
PID 3492 wrote to memory of 3540	3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe	21
PID 3492 wrote to memory of 3540	3492	a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3540
- C:\Users\Admin\AppData\Local\Temp\a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe
  "C:\Users\Admin\AppData\Local\Temp\a268005fc16a2af341ded5b30ac0425b1d3cf0ee60d97e5577acdf5427d91dfe.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
80e17988c5eca027973939ad41058836

SHA1
c1fede9b842163f526f17787e069724c859a7a80

SHA256
071a764756c51b540f60aa4c8c6d6f3581df057a935db909bcaf99b8aea4729b

SHA512
5a7b517b9bb44b563904788896d16092acbef165d585f81f3f753c604dfc376d08c6dba77a842284dc63eca96ca1767e2eddc01a7f626ece5a7fa14b9630cf95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
938B

MD5
1df463ff7596107c9f8d9d640d50c58a

SHA1
3f30f19bdb20d064c12b933325ce1c03b775f4a2

SHA256
c1edf2279c8f750b92cfacafa86c5639a231b3648c15d270b0cdf3f983bfc0d0

SHA512
9c5e7a1c3e6d3acadc1be21620dc12d48d19260121e6551425265d8bf7bf7d08691a8c62ccedfea3e0ef67aca7cec3c1bd39cfb05b05d1705a46634bcd38f4cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
7f27c367ab81189dd3703854bf360e44

SHA1
0c12dc15ff2a90622bbdfa194355cb7edafd57ae

SHA256
423726faa9c542eb5d6005810e93511a6859ce34ccbdb4edcedc2210b8506215

SHA512
677098d5aff941c74a46fb4d7852be193512d1fb89d0dcd2bfa232272bcfc7edf52477e7f091bbe66a57b8684004884c079c7fa41fcf678dd637e995d8ba9a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
520B

MD5
fc91fd11593d9fd7ea6933b6c6c2f97b

SHA1
7b7c5aefcbddb1abe5023c5acdbb12df27d08e27

SHA256
6733b75d11f2ebe8777040857d92f395e7c5196514cff8955828858294bc97aa

SHA512
390cc7f0ba5087f65312d8964263f5c16545c1c0def4328c4d99e1523ae03f0229f7a58a7de3bc9c2a485a1df217502411c3ba8d06ea8ce813da0636627bb19f

Download Submit
memory/3492-19-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-29-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-8-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-61-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-0-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-20-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-45-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-33-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3492-30-0x0000000000B50000-0x0000000000C52000-memory.dmp

Filesize
1.0MB

Download
memory/3540-3-0x00000000028E0000-0x00000000028E3000-memory.dmp

Filesize
12KB

Download
memory/3540-5-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3540-4-0x00000000028E0000-0x00000000028E3000-memory.dmp

Filesize
12KB

Download
memory/3540-7-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download
memory/3540-6-0x00000000028E0000-0x00000000028E3000-memory.dmp

Filesize
12KB

Download
memory/3540-17-0x0000000006D00000-0x0000000006D79000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing