74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f

General

Target

74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
Size

536KB
MD5

40b0acbf4b217ea700677d3e1ea751ed
SHA1

a6b3635de8ecc55e05e6dbbc97e91322a8cecb65
SHA256

74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f
SHA512

ea0560c0a49e9fda5d2a0579048cea6d65f8dece7250e481398ecec76581304d8dfaf6255e9e31659a2c713fbb9d24a52a2729050bde65cff824708f595283dc
SSDEEP

12288:Thf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:TdQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-0-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral1/memory/2448-41-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral1/memory/2448-356-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral1/memory/2448-711-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx
behavioral1/memory/2448-719-0x0000000000EF0000-0x0000000000FF2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\29e920	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
Token: SeTcbPrivilege	2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
Token: SeDebugPrivilege	2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
Token: SeDebugPrivilege	1240	Explorer.EXE
Token: SeTcbPrivilege	1240	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1240	2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe	11
PID 2448 wrote to memory of 1240	2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe	11
PID 2448 wrote to memory of 1240	2448	74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
- C:\Users\Admin\AppData\Local\Temp\74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe
  "C:\Users\Admin\AppData\Local\Temp\74ac6477a1b0bf170756d1aa868a55df8237abe6b5a39980f9d0a53143322b4f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cd672d9fec9f6a6efa2b756907cac81

SHA1
d5b9fd8fb435b1a78cdd89201aa84b23ca1d827b

SHA256
3e423568f815a6b63a26ad80a1ef923c9cc04f0ff20ca999b47c795f0709427c

SHA512
5f77a01a35e321fadc164e5bb4a69d9e95cfb88d6eb8a0db52811bcdbd98a81f71b1970cc332ab6c4349017145be89adfab5ac455ffce9422b42e8b8683039fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec50c177021f543117f232a956f33c9c

SHA1
80fd2ea424a88ffa15a81053e93dbdee0fcf0b04

SHA256
3b1f91861d9fc4af11484a9d530ad0057ca71a7ec01f1d1507d30f66448431e8

SHA512
c0fd38ff46e4ba279c8e865b210aa80a75545b7432eab1f84149fdca136ff68385a0e350a0172fa318c90809920f06422ac02181b05bc87400b149f2b6c4d6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7a532e15b867f3cdb691c90c58f895d

SHA1
ffa76deb01351e81a41b3958b7535de2493745a3

SHA256
e9c721b5e407a3bc7a6cf6be24403be48833ce396288aef86204da72d69441a8

SHA512
4c51bda384a43e571d078fea709a5a53c449cca69d0771f3968ea9890bc60fdfc855f804062ddfb40a9165a382f82387670b8a4f173f6216ded71d87d05f6221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3715069d7f439922dde266bf0d34f2eb

SHA1
19f9009fbcd2a6d31ddcf9b0ae0eab3e9e266c82

SHA256
09125bf1f9bcd3e3ceb4503f7d4248a1acf2bf94511a00bfd3a86fc5c1be7249

SHA512
43468434018ebd61f26cc9a3b9dd41ab0959ac8c420e115cc5ab2d6d194de63d7181c422bebd7d825f448d547322349cb40608c24b5acfc8496c1b41767b3397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7efcfc97a51b7077786bd779676d6e2

SHA1
a0f5beeca11e81353cfbe6631412deb9d3087c77

SHA256
52b969e19042f54bd9c2734deb3a9e89066a7454fdc1bcfc247df30dc3547edd

SHA512
79b884b0a64590ddb2b049981bb3ecdc869f7d3337367e23e051fd51712791fbb4d3ea0f13a5f2608b3d4be83e47a19079f580a5aa1a177722244107d327addb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c65bb7412db5f88f1dd2e3168678763f

SHA1
f3b543e0721a064aed0ad1c8b7247b917012e7d4

SHA256
025f1bb3c41078c425e905ef306d2dec4dc16a5798b3f1fe2ac47f134f79e585

SHA512
9ea0704cb1c3f9671a2f9a0bb2f1cb11550edbe91d0e46eba8d3950dac9eecfb0e1de28032fcac3ea11ab5451441ead2f3567ce3955968c112ebc699e77dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9AFA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B2C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1240-151-0x0000000003940000-0x00000000039B9000-memory.dmp

Filesize
484KB

Download
memory/1240-6-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/1240-5-0x0000000003940000-0x00000000039B9000-memory.dmp

Filesize
484KB

Download
memory/1240-4-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/1240-3-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/2448-0-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/2448-41-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/2448-356-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/2448-711-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download
memory/2448-719-0x0000000000EF0000-0x0000000000FF2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing