ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2

General

Target

ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
Size

536KB
MD5

19a9ce9d71f72aea73ef92352289990a
SHA1

63120246d073949df8e0e5b4846dbd37801b126a
SHA256

ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2
SHA512

ac09a83e1a067be2c6925d02cf88d57edfb41dcbe385c952de17176685d4390ed46ad5f6f4ce2e94007e168fa66f6c504dfdd98e307074f5d0eb99aa9630e31f
SSDEEP

12288:Thf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:TdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1280-0-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/1280-14-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/1280-25-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/1280-26-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/1280-28-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/1280-38-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/1280-59-0x0000000000AB0000-0x0000000000BB2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\15ea00	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
Token: SeTcbPrivilege	1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
Token: SeDebugPrivilege	1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
Token: SeDebugPrivilege	3488	Explorer.EXE
Token: SeTcbPrivilege	3488	Explorer.EXE
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3488	1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe	54
PID 1280 wrote to memory of 3488	1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe	54
PID 1280 wrote to memory of 3488	1280	ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488
- C:\Users\Admin\AppData\Local\Temp\ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe
  "C:\Users\Admin\AppData\Local\Temp\ed30a11ac95e40d94d7add3a81458fe3cc794283f18fe2941a0eca4b9e66a2e2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
9271aea03fc2c3f32e23a8fafdc27dd0

SHA1
ba79c68ae4e7e7e9c81c141f03267f1bf165a45d

SHA256
8c7b053a43c5cf3f50693f68406878e5620faaf45450a8b00fdf70b6978cd706

SHA512
e1c013adac2bf74dac6d37eb2ddd9fbcaa6e176f912fa35c5b08d5858d295305777ec536180cbca03b8260d5a428fc7d00d0069db097a4ad4fff02b427d61ddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
939B

MD5
eb476edd1aa38b5085cb8474812f7e25

SHA1
fa8cbb19cbba2dca302bf86ffa9b904aea1a52cf

SHA256
e60f60372165bb970bb69a83524a107c2a2dcc2c45f65cc1aff3a436dabf9590

SHA512
10172aa9b52ab2eb421ab3d5e21dca0f15b4341793af4b549185d545a08c6cfdd868ac56ee63af1259dba6443c73ace431f6c329eaf0c7e3dbfe0dd2dfd1071a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
a39b425a07fb2c6bd6bd50e29469fe7c

SHA1
5774d6d3a7e5827822ee6d5c86b39fa54e633bd0

SHA256
341c21ef0d5d2a913c239bee56ac031c277e7601e84a4816d9d6ca45327f0803

SHA512
f7eb8ba912417d3ea561a54f4e253d5e328dfb0cfa928373df3aa7c332b14797d22efb0cf1f0188fb2035c3a1f99e9c3e09c4e1fbb02b2d9694c8da2abb64d82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
520B

MD5
6001ca4d70c1c4077d6dc066c80a24f7

SHA1
6e43e5b875c279c9d69bc3eabb81da861ccca434

SHA256
ce25ef61bc497188417e3245334f87dd708c2a85fef4876225198c3703fef785

SHA512
c4c54f98ee3aaefef3fe5ea89bebf637b2923d65fd2cbabaa4f31d7053b72631d35aef30887900d84e40d03375afa536f8d3c1f8f0ed85195dcd09fff6133dbf

Download Submit
memory/1280-25-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-14-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-0-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-26-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-28-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-38-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1280-59-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/3488-4-0x00000000032F0000-0x00000000032F3000-memory.dmp

Filesize
12KB

Download
memory/3488-16-0x0000000003680000-0x00000000036F9000-memory.dmp

Filesize
484KB

Download
memory/3488-5-0x0000000003680000-0x00000000036F9000-memory.dmp

Filesize
484KB

Download
memory/3488-6-0x00000000032F0000-0x00000000032F3000-memory.dmp

Filesize
12KB

Download
memory/3488-7-0x0000000003680000-0x00000000036F9000-memory.dmp

Filesize
484KB

Download
memory/3488-3-0x00000000032F0000-0x00000000032F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing