97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
Size

49KB
MD5

46ce5176f565435db0a589609759bca0
SHA1

9ff7799f63c290946a470947cbd20af4beffaa49
SHA256

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15
SHA512

786eb78be4905a2afbecd5e2b33d180e7e0403f706f7c050d9061cf604783ecc04ca5ebed887f1c046e92b5a2480bb3b0d0a5b8dec381c4bdbe6cf12febb297b
SSDEEP

1536:H1QPAzA0bWaBr6Dyc+dv+MdeqvswW7WurRd3:H1QPYbD6D52mFqvsn7Vd3

Score

8^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1064-54-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1064-57-0x0000000000400000-0x0000000000416000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Windows\SysWOW64\bnsspx.dll	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

976 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

pid process

1064 97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

pid	process
976	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

description	ioc	process
File created	C:\Windows\SysWOW64\bnsspx.dll	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

pid	process
1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

pid process

1064 97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

description pid process

Token: SeLoadDriverPrivilege 1064 97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

description	pid	process
Token: SeLoadDriverPrivilege	1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe

description	pid	process	target process
PID 1064 wrote to memory of 976	1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe	cmd.exe
PID 1064 wrote to memory of 976	1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe	cmd.exe
PID 1064 wrote to memory of 976	1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe	cmd.exe
PID 1064 wrote to memory of 976	1064	97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe
"C:\Users\Admin\AppData\Local\Temp\97dfda1e4250bf35edc723f865f64fccde8d8bf4148b93ddb5a37d32da94fc15.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\uisad.bat
2⤵
- Deletes itself
PID:976

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\uisad.bat
Filesize
249B

MD5
69b6a3463ccf63319fce29d2bf03fb1b

SHA1
f461fb21b76be48da9f4a13b84af24ae6c54678e

SHA256
ba24c2e345cadb2ce3a4b11a824dede186c1e0edde773888a723322f43c10d65

SHA512
b8851b31945ced733481058575d2b0ef993bce6973994b80a07b6fd3195caa6aee920c7825da41000fc0aec9455285693cbb5897ffbeeb13941fde03c53f7943

Download Submit
\Windows\SysWOW64\bnsspx.dll
Filesize
52KB

MD5
b1c65f5eee9c0ac609e79a3b7fb92bf1

SHA1
a87a15f7ef332e87e34aeef19c62499957c2dceb

SHA256
1d9d140865cddc93e7e021d6f185812eff1f1f19f76e6a0d90030511ff8d4037

SHA512
9fb52f6b5dfc3eeff9b74d818ade74b7a4f2bb8694e89ead48c42e1994474a7b185379712424711c36a53c5fa9482a4a568fc23086f9279c5a872ac09c802d1c

Download Submit
memory/976-56-0x0000000000000000-mapping.dmp

Download
memory/1064-54-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1064-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads