5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6

General

Target

5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
Size

8.6MB
MD5

214f80d49bb436a6aad7b5c684d069b9
SHA1

73fe4c7e83fcc1d2666fe2059c25aa380c074622
SHA256

5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6
SHA512

17ff1e2f8973f95ee092c15704afe5acca2dab61483935187ceb8b072916e99371c0b594240a151376b6b87fa4f3b8f2caf4978056b90c73cfc0424176308a85
SSDEEP

98304:J8bAz4y9gQfS2Kqn4CnLEslfYexusOK8gyo4q8P8SkCdyn21PlrdaXX:aNegQ2G4CnLE27ue8Fo4q8Fk21PO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2300	aria2c.exe

Loads dropped DLL 3 IoCs

pid	Process
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
2760	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1548-12-0x00000000033E0000-0x0000000003477000-memory.dmp	upx
behavioral1/memory/1548-14-0x00000000033E0000-0x0000000003477000-memory.dmp	upx
behavioral1/memory/1548-36-0x00000000033E0000-0x0000000003477000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2300	1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe	28
PID 1548 wrote to memory of 2300	1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe	28
PID 1548 wrote to memory of 2300	1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe	28
PID 1548 wrote to memory of 2300	1548	5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe	28

C:\Users\Admin\AppData\Local\Temp\5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe
"C:\Users\Admin\AppData\Local\Temp\5d2eaaa35360b5d1f0afc080ce21aa50da7c9effd6dc6184f8f35a4c6becaab6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\aria2c.exe
  --check-certificate=false --disable-ipv6=true --enable-rpc=true --quiet=true --rpc-allow-origin-all=true --rpc-listen-all=true --rpc-listen-port=7111 --rpc-secret=DOWNLOAD --stop-with-process=1548 --dir="C:\Users\Admin\AppData\Local\Temp\down" --continue=true --max-tries=0 --max-connection-per-server=15 --min-split-size=5M --split=10 --max-concurrent-downloads=5 --file-allocation=falloc
  2⤵
  - Executes dropped EXE
  PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\aria2c.exe

Filesize
5.3MB

MD5
53d237cbbdac5ae3dc65c9ee8a51094d

SHA1
b2aa5c6150f556f3fa6f6904ac57befc07a14b6d

SHA256
2646c5d3eb8b0fc57e85f30434cef3d3a261d01f065fc4ad23f020c31f1dd6bd

SHA512
7a29d0fbcca4402c32756ccdf8b8c79a36512d005f695d8eb9b8c88412a57d916e581ae58c55451cf6210cd76d6bdc166121492b1b653719d30a4758a7c3a5cb

Download Submit
memory/1548-21-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-15-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-32-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-30-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-16-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-17-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-27-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-31-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-18-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-20-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-22-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-0-0x0000000010000000-0x000000001010A000-memory.dmp

Filesize
1.0MB

Download
memory/1548-44-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-12-0x00000000033E0000-0x0000000003477000-memory.dmp

Filesize
604KB

Download
memory/1548-14-0x00000000033E0000-0x0000000003477000-memory.dmp

Filesize
604KB

Download
memory/1548-29-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-28-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-26-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-25-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-24-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-23-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-19-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-33-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/1548-36-0x00000000033E0000-0x0000000003477000-memory.dmp

Filesize
604KB

Download
memory/1548-37-0x00000000035F0000-0x000000000365B000-memory.dmp

Filesize
428KB

Download
memory/2300-34-0x0000000000D60000-0x00000000012C0000-memory.dmp

Filesize
5.4MB

Download

Analysis

Sharing