eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7

General

Target

eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
Size

536KB
MD5

2d2dc5b827786fb71c21e241007d7107
SHA1

0b19bcb2c1ff20dfbd3a364b91e7248242836c06
SHA256

eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7
SHA512

1490c7648a9cdca977cec7e60a71a25c8dd715532d2b7467c6a17e099bfecaad2f97ec24fc246a05452bb887f7368e0e03f2be223f899937957721c2eb81bfc9
SSDEEP

12288:+hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:+dQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4576-0-0x0000000000860000-0x0000000000962000-memory.dmp	upx
behavioral2/memory/4576-14-0x0000000000860000-0x0000000000962000-memory.dmp	upx
behavioral2/memory/4576-25-0x0000000000860000-0x0000000000962000-memory.dmp	upx
behavioral2/memory/4576-26-0x0000000000860000-0x0000000000962000-memory.dmp	upx
behavioral2/memory/4576-31-0x0000000000860000-0x0000000000962000-memory.dmp	upx
behavioral2/memory/4576-39-0x0000000000860000-0x0000000000962000-memory.dmp	upx
behavioral2/memory/4576-57-0x0000000000860000-0x0000000000962000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4e57c0	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
3496	Explorer.EXE
3496	Explorer.EXE
3496	Explorer.EXE
3496	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
Token: SeTcbPrivilege	4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
Token: SeDebugPrivilege	4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
Token: SeDebugPrivilege	3496	Explorer.EXE
Token: SeTcbPrivilege	3496	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3496	Explorer.EXE
3496	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3496	4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe	45
PID 4576 wrote to memory of 3496	4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe	45
PID 4576 wrote to memory of 3496	4576	eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496
- C:\Users\Admin\AppData\Local\Temp\eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe
  "C:\Users\Admin\AppData\Local\Temp\eb8e2fcd70cad134786be53bac6d46186e7b63e6eefb62a3e7605173cd3919a7.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
bd59bf4a44ca7b55f02a18740bbac811

SHA1
9f643466e9cd6c59b78c5d5ab0a4346af8e0a0f6

SHA256
71ad720a436190f44fe7cfd42a7ba5ba13c0893cac5e42eecbe516e21f5aa880

SHA512
ddda5b7ed5022b92c7db049f802f761f9c9ec05d67085453d23207bbab8eaf0ef82eafdd9ca9fc535371baa703a106f2d428bc3eb64db1df7eace6baac558305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
938B

MD5
0d3b5d8511f10662c6c27bc0458a9668

SHA1
510b3fbcc55ea53034a970a6408cb7b071315e58

SHA256
65beb8ca9aef610163b5d172183002935abadad61b1866df8c0c10b323858d20

SHA512
22faeed022a7a320d9696e25a1a311c7ee14c7f1acaede7e693ba717afe79e2108aa4f54f50287216535b0d712289f612c3c1484e8a449292ac7b8551aadab56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
065f950e406364ba4b7cb43a22c725e8

SHA1
0dfa78200c9dc6e906b9dd7c9cf5de5ac5a198ae

SHA256
dbd6aaa3c54caf1b149d935d5d5b76f3ed3d96955c7eeb3ca79656251ff3cb83

SHA512
170d85bf8df213181a1663231818e2f380c468532a69d53b012bfa71215d1f773c8be59a995c4b3702135e92b01033e4f2de7eb49c8e5c89bb473ee35f0e36d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
520B

MD5
168db7e5e67de98abf07d99b847196df

SHA1
862fbd1d424714b56eef28800050104f23b15a89

SHA256
9df19b29272d0d2b97a7da903a772ec5ffc43e2145240822421ae4c79ed74537

SHA512
01ca293a067f7ac0566e1ad7e369af0a3ff0026a166837e8f8b64935cb3fe9d8a55129f9d15db6c66582c279b272a0137b3e383757f6e66d98c2b7f2a0bc02d8

Download Submit
memory/3496-7-0x0000000006BD0000-0x0000000006C49000-memory.dmp

Filesize
484KB

Download
memory/3496-16-0x0000000006BD0000-0x0000000006C49000-memory.dmp

Filesize
484KB

Download
memory/3496-6-0x0000000002790000-0x0000000002793000-memory.dmp

Filesize
12KB

Download
memory/3496-4-0x0000000006BD0000-0x0000000006C49000-memory.dmp

Filesize
484KB

Download
memory/3496-3-0x0000000002790000-0x0000000002793000-memory.dmp

Filesize
12KB

Download
memory/4576-14-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download
memory/4576-0-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download
memory/4576-25-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download
memory/4576-26-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download
memory/4576-31-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download
memory/4576-39-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download
memory/4576-57-0x0000000000860000-0x0000000000962000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing