0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d

General

Target

0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
Size

536KB
MD5

4c1a2a6180829d55a40d6d1fdc481c3b
SHA1

dcbdec7ca01efe9534233a4bda6843d483aa5882
SHA256

0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d
SHA512

f122fa7c2bad3301f7d5e87858dbdd29a37308a52359d45a2acc58394849786b2bde3b16085081d28509fb17d855651bd2c83e8e71d4b407edfafe0e77e7cc9c
SSDEEP

12288:Yhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:YdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4620-0-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/4620-16-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/4620-27-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/4620-28-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/4620-35-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/4620-47-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/4620-71-0x00000000004B0000-0x00000000005B2000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4f1898	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
Token: SeTcbPrivilege	4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
Token: SeDebugPrivilege	4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
Token: SeDebugPrivilege	3372	Explorer.EXE
Token: SeTcbPrivilege	3372	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3372	4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe	69
PID 4620 wrote to memory of 3372	4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe	69
PID 4620 wrote to memory of 3372	4620	0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe	69

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372
- C:\Users\Admin\AppData\Local\Temp\0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe
  "C:\Users\Admin\AppData\Local\Temp\0d4e462fee946196047d417a459f989b579605bf088f7c5137f4b7a2bd31e67d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
a10d82f0bb8bfbff173166cbfe2c513d

SHA1
f52262c0f908c99b12a06751a7b9091279a614d9

SHA256
7873d9a1040c099133674b95df091c25a71bba7cb29bab261ab62866394dd00b

SHA512
9694b1027fd3218eece3d90887c0c23efe141c1e8c97f8ef629eab1307dc162e8fff354aac6e3b85729890df8e9672facbb310eb9fe1f5440d74d69cfa3619e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
939B

MD5
e227726d814fcab468352c0b58b1c71d

SHA1
cddeee10272e9cd07330f86c17fc58c17762f051

SHA256
387234a4242d7d74146f3880e1e2d7ed38519f2d3e1536a4654f2970b6de881f

SHA512
12b89823a557dc16004a9093065d2dcbe11637951c1c0a978d6db45088e6f2cbefa52ba236fb27dd7d0435bc1baf5fdc0cc488e0d53c7558230d08d19f48f9ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
69bef74c58a7b64392449431c857f829

SHA1
3ef166f866d76a4c5e18f6078266f892addc7f42

SHA256
572824547ad8f8786666b18595852c1248bb5cf4e61c1d0e1a45040a3ed258ef

SHA512
0cbe9f15f8ee0baa73cd479b54202fcf13f4dab19ee034abdf8a7306044b8c45c23cb98a95f5cce2c496c0c399811e0c4ad06117b1ac4b5895cb661e4925ac39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3

Filesize
520B

MD5
ab9b800fda008d88face3480f525ea5d

SHA1
803c48340285510bc76973ff15da7280697eea1d

SHA256
2a0690ec40150ae8b1790608d0b708cfd95286aac855340c123152abffd0e835

SHA512
f9d1a1445219e5129fb9a8f67c5c5a6cc68a7df6b685ac482e8d96a4978158bf66863e0da2b5e188039d6beb70f67e3ef02c73b88b666806f676d40a2464dd35

Download Submit
C:\Windows\4f1898

Filesize
4KB

MD5
5d8061ce09ac3097dfcb8918ee13c43c

SHA1
a4d8cd77eea0159df25db972ace2aa2fbae18afd

SHA256
be14020ec64219cf05d475321693fc929a9a8564796f1971e508a0ab70a51a54

SHA512
4bbabfdcd9df48d610a9c48660b25b04b0247c470b40f38de3e8712a032702f1cef433078dca347cbdb2312fd380bfa2506d318b85604f4aa20c20661b1f86d2

Download Submit
memory/3372-7-0x0000000003570000-0x00000000035E9000-memory.dmp

Filesize
484KB

Download
memory/3372-18-0x0000000003570000-0x00000000035E9000-memory.dmp

Filesize
484KB

Download
memory/3372-6-0x0000000001470000-0x0000000001473000-memory.dmp

Filesize
12KB

Download
memory/3372-4-0x0000000001470000-0x0000000001473000-memory.dmp

Filesize
12KB

Download
memory/3372-5-0x0000000003570000-0x00000000035E9000-memory.dmp

Filesize
484KB

Download
memory/3372-3-0x0000000001470000-0x0000000001473000-memory.dmp

Filesize
12KB

Download
memory/4620-16-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-0-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-27-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-28-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-35-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-47-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download
memory/4620-71-0x00000000004B0000-0x00000000005B2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing