6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809

General

Target

6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
Size

536KB
MD5

166edfcf0b9ab50f9d1429ad9cd891fd
SHA1

315a4ac4eba6a9469f824a551fd51fcccca4afe8
SHA256

6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809
SHA512

4dd29896cbe4bdfb20abd649f148bf2486aaedc8962a20b30a27dcaa83c84d1932faf0c012625c3c421d3016228530b9f671d4415a35a81f0fa7615b758c470a
SSDEEP

12288:4hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:4dQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2544-0-0x0000000000340000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2544-13-0x0000000000340000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2544-24-0x0000000000340000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2544-25-0x0000000000340000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2544-30-0x0000000000340000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2544-42-0x0000000000340000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2544-66-0x0000000000340000-0x0000000000442000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2b8de0	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
3596	Explorer.EXE
3596	Explorer.EXE
3596	Explorer.EXE
3596	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
Token: SeTcbPrivilege	2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
Token: SeDebugPrivilege	2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
Token: SeDebugPrivilege	3596	Explorer.EXE
Token: SeTcbPrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3596	Explorer.EXE
3596	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3596	2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe	49
PID 2544 wrote to memory of 3596	2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe	49
PID 2544 wrote to memory of 3596	2544	6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe	49

C:\Users\Admin\AppData\Local\Temp\6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe
"C:\Users\Admin\AppData\Local\Temp\6ff32f0b4050b0e54ab9e319f7ad59d441659a486cb4ae7f375ecd11913b9809.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
feb262da3ec4548de980cdbbefef7ed0

SHA1
bb69cfbd7c46c21e529118a495802ab79a2fa8df

SHA256
767d9c3d3e240a01310d0ec0309a5f0df7a4ded82aac46e017b37bb465ad5706

SHA512
b89babaf9ca8d4bcf7f49ca9841cc975ff681ea35593a458115e14a49af17941185f65d1052272d4ff30ac6d58097eab5d3714b459fef73269a47a4da6f6b31f

Download Submit
C:\Windows\2b8de0

Filesize
4KB

MD5
7e56fc756c2da32260857ff5a12fff88

SHA1
b9c86d11d3f2145b68c8f946fbdb4c494a8bf207

SHA256
8bc66997c3468bcdb676b9d260a5618cdbfc4cabe0a3ad5d9f50b92375d9ee2c

SHA512
d7d42f5556e8dc9d78a70b4cb6176b53a674c87143ba0650f271a99bec87613f21fe642383abddc693e539e614e8348ad2aac84f25121216a9e2a4c73b3fe522

Download Submit
memory/2544-25-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/2544-66-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/2544-0-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/2544-42-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/2544-13-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/2544-30-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/2544-24-0x0000000000340000-0x0000000000442000-memory.dmp

Filesize
1.0MB

Download
memory/3596-4-0x00000000076D0000-0x0000000007749000-memory.dmp

Filesize
484KB

Download
memory/3596-15-0x00000000076D0000-0x0000000007749000-memory.dmp

Filesize
484KB

Download
memory/3596-3-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/3596-5-0x00000000031E0000-0x00000000031E3000-memory.dmp

Filesize
12KB

Download
memory/3596-6-0x00000000076D0000-0x0000000007749000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing