445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5

General

Target

445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
Size

536KB
MD5

4b48064dfad2e090e9c4d44bd6c85938
SHA1

2f995dcc101ca2ec5079a721ba5aa77cf367abc0
SHA256

445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5
SHA512

aafd468ccd49ac816795c0a55572c09aa1ac612f06e245a17126f52bbb20fec546863a266c1fb49077fbf975ace225bb1c8e6ee32fe604185d972da367bc1b3e
SSDEEP

12288:ohf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:odQyDL9xp/BGA1RkmOkx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1360-0-0x0000000000650000-0x0000000000752000-memory.dmp	upx
behavioral2/memory/1360-14-0x0000000000650000-0x0000000000752000-memory.dmp	upx
behavioral2/memory/1360-25-0x0000000000650000-0x0000000000752000-memory.dmp	upx
behavioral2/memory/1360-26-0x0000000000650000-0x0000000000752000-memory.dmp	upx
behavioral2/memory/1360-30-0x0000000000650000-0x0000000000752000-memory.dmp	upx
behavioral2/memory/1360-36-0x0000000000650000-0x0000000000752000-memory.dmp	upx
behavioral2/memory/1360-62-0x0000000000650000-0x0000000000752000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1748a0	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
3472	Explorer.EXE
3472	Explorer.EXE
3472	Explorer.EXE
3472	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
Token: SeTcbPrivilege	1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
Token: SeDebugPrivilege	1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
Token: SeDebugPrivilege	3472	Explorer.EXE
Token: SeTcbPrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3472	Explorer.EXE
3472	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 3472	1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe	37
PID 1360 wrote to memory of 3472	1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe	37
PID 1360 wrote to memory of 3472	1360	445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3472
- C:\Users\Admin\AppData\Local\Temp\445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe
  "C:\Users\Admin\AppData\Local\Temp\445d0e1307ca1a6b6b31ae601b5a4de8ad3ef7e3856eb73b7b59c97da81251c5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
bca141c829ab3de0ffd7340627ea32bd

SHA1
f06aeed3a48313efc664a0fde3fc02672afb15b8

SHA256
e5f0b3467aea2635aac968f6f191ba7931551157c4f37b8870fa5cd63fa3e32d

SHA512
3e0a45c82a27b58b8c349348a7339b611216b23ee5bbed0e36f3b9e1f82793aa70172f6acc0d7b472397db7d35d600e72d7bf9ff7c5cdf4c45f657899c7d0248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
937B

MD5
6367d3a9d479080cadd998dc36a4ea77

SHA1
40b14e15578298cdf3915849aa82e51ec5a8d7de

SHA256
4a040f65819bcc070399f709aa14d20c7e11644be54b3016c1d6d85d837b9cda

SHA512
7a404a3e164b57748b8e64484268622c1dd5023d2921d3620470f280e5d307dacfc117f00ec7a234debe4a0ad54266e65cc71f8a945c84e2083821e74daed7e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
0b66611a4ab7d4918cfefe604f2e4329

SHA1
fff47b2577af5be4fc1b7522fb6f1db72dc9fc95

SHA256
91e6c16245d3cae0a746854ada5c40532b113bbcb87471e8492ca364e8a1f457

SHA512
8e5931f94cde1b4c94fecb3b9723b5a223d7391bbd2676eb95bf4f9f3802dc43ce8ff7fc4ea76f1dd226163a01556d13d2652c3c3a1d8ca6d6cc7e2ea552b5ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
520B

MD5
08ba01f6b958807b1457ef0c3e968609

SHA1
ce6e64c1380e35c076157e8e6c011bc6b1e66a53

SHA256
2815ffe3c2877fa82a8f1472ed846a65c97ee9f8cc48e39047aa635d4e5fc878

SHA512
e0bb49a785ea067068f1c0d574b53715a2249f56cb4bc2fe2e320c7442fcca822edf439c671da68408a1dcd77da8701b742d8aca2e7d0023fccadfebae073b4d

Download Submit
C:\Windows\1748a0

Filesize
4KB

MD5
dae8e6ec3110dcad403004ad507adf57

SHA1
81b1e0e09b2e55d64a09ecb5e5147995c521cd14

SHA256
c7ed0ad5882a1c16fe4121f997aa82e6cf8fd90a5c182b988b3b743c556d9503

SHA512
4f7344a13894b9a63074c0ddfe1f07d40690fa0cb45420a2265c6ff7019618fb34a34b0c69f36d7e90bd90610a3e22b3a6868d393e33ecc9f11cce19840ea71e

Download Submit
memory/1360-25-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/1360-14-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/1360-0-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/1360-26-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/1360-30-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/1360-36-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/1360-62-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/3472-16-0x0000000007450000-0x00000000074C9000-memory.dmp

Filesize
484KB

Download
memory/3472-4-0x0000000002900000-0x0000000002903000-memory.dmp

Filesize
12KB

Download
memory/3472-6-0x0000000002900000-0x0000000002903000-memory.dmp

Filesize
12KB

Download
memory/3472-7-0x0000000007450000-0x00000000074C9000-memory.dmp

Filesize
484KB

Download
memory/3472-5-0x0000000007450000-0x00000000074C9000-memory.dmp

Filesize
484KB

Download
memory/3472-3-0x0000000002900000-0x0000000002903000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing