e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9

General

Target

e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
Size

536KB
MD5

f158c92926d7537a8de5dd6bd4f0d657
SHA1

30f2cdfea250945928151740933d00cf76cc9099
SHA256

e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9
SHA512

595e6bc883031c045b29d8a8968d13ee2c91f622fda49dd1ef54a9287cd534fea0a8c71db6530d12baf40bc9238adbf5671de28c35d4a928ff5640284ce622a1
SSDEEP

12288:Ghf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:GdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-0-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/5060-14-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/5060-25-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/5060-26-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/5060-28-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/5060-45-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/5060-63-0x0000000000960000-0x0000000000A62000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\56a108	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
Token: SeTcbPrivilege	5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
Token: SeDebugPrivilege	5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
Token: SeDebugPrivilege	3408	Explorer.EXE
Token: SeTcbPrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3408	Explorer.EXE
3408	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3408	5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe	76
PID 5060 wrote to memory of 3408	5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe	76
PID 5060 wrote to memory of 3408	5060	e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe	76

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3408
- C:\Users\Admin\AppData\Local\Temp\e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
  "C:\Users\Admin\AppData\Local\Temp\e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a0de5bca35a5e89ffa483c5d5993dc45

SHA1
3475544812b6f84dc8cf28f87bf788b26e1f3638

SHA256
15fabee3f4b7e11d37319624c19bb5852a4b537b59877eebf95f26df8b35fd7c

SHA512
ab81f86c68d2eb230474335896e335344b62dba693dd99a724218e79348c55cbc4864d54d06d95f94239d9abb13404b2d19840861acd6afd4ce02aa2861422b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
937B

MD5
6367d3a9d479080cadd998dc36a4ea77

SHA1
40b14e15578298cdf3915849aa82e51ec5a8d7de

SHA256
4a040f65819bcc070399f709aa14d20c7e11644be54b3016c1d6d85d837b9cda

SHA512
7a404a3e164b57748b8e64484268622c1dd5023d2921d3620470f280e5d307dacfc117f00ec7a234debe4a0ad54266e65cc71f8a945c84e2083821e74daed7e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
761e2f3feb69a110b4e9bfe8ec1f6185

SHA1
b919f9627030bf468b9211900f268a92ea12c338

SHA256
5102a1bb26c7995f54df8727b242b4f5f079c5d53080fa7ca5202a792791a7d7

SHA512
355b54d66eb5a343a1686de10d73f19748cc5419767cb7874fa760ddf29ea4f349f99007bdb99938a12d510ba7a0ba8cfec3000b6087ed66355a455be4203b1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
520B

MD5
507903791ce7b046e5ba6debfd5ac4bd

SHA1
0d7a20336d306e13fa516ee31693c2cea27962f6

SHA256
39e2c4f291e28ef8dc42868e909af95a973360b3433f1508290865346ce52d99

SHA512
142645a5a0dd3d503b9d41a7eca811a7e1dc943282e50c95424efbe376a2f00db5b02a58437112fa5698c7421b898dedba8ba3b6acc16a63c4e03e5d7959e828

Download Submit
memory/3408-3-0x00000000031A0000-0x00000000031A3000-memory.dmp

Filesize
12KB

Download
memory/3408-16-0x0000000003420000-0x0000000003499000-memory.dmp

Filesize
484KB

Download
memory/3408-4-0x0000000003420000-0x0000000003499000-memory.dmp

Filesize
484KB

Download
memory/3408-6-0x00000000031A0000-0x00000000031A3000-memory.dmp

Filesize
12KB

Download
memory/3408-7-0x0000000003420000-0x0000000003499000-memory.dmp

Filesize
484KB

Download
memory/5060-14-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/5060-0-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/5060-25-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/5060-26-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/5060-28-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/5060-45-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/5060-63-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing