d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e

Analysis

max time kernel
63s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2023 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
Size

3.2MB
MD5

1a6d25867ba0a964b17d5de42b089a08
SHA1

b49bd39ece3e9ef7406033b71e9264b96368fafb
SHA256

d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e
SHA512

c8c9e6bad2eefd541ea0f2ca107f3cf038bd26934740d7dab34503185aae685a5b8a850c57faaa82600e1f0cca47d583d7a52c85a00d45662ae490cdddd3e457
SSDEEP

98304:7YlToliya34y41MiJdhQbkjGYVnJvGNyQr8HzvN:0lTvKy4+8hFFVnRkNr8HzvN

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EdpRecUpAgent.log	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\VRVEDP_M.exe	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File created	C:\Windows\SysWOW64\EdpGeneralFuncX64.dll	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\EdpGenFunc.dll	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File created	C:\Windows\SysWOW64\EdpGenFunc.dll	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\EdpKvDbInfo.xml	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File created	C:\Windows\SysWOW64\EdpKvDbInfo.xml	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\UpAgent.log	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\EdpGeneralFuncX64.dll	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\vrv_virusdatabase.XML	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File created	C:\Windows\SysWOW64\vrv_virusdatabase.XML	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
File opened for modification	C:\Windows\SysWOW64\Watchclient.ini	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
176	sc.exe
1888	sc.exe

Kills process with WMI 10 IoCs

evasion

pid	Process
3432	WMIC.exe
3484	WMIC.exe
1492	WMIC.exe
1096	WMIC.exe
480	WMIC.exe
692	WMIC.exe
4712	WMIC.exe
4724	WMIC.exe
3740	WMIC.exe
2708	WMIC.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3484	WMIC.exe
Token: SeSecurityPrivilege	3484	WMIC.exe
Token: SeTakeOwnershipPrivilege	3484	WMIC.exe
Token: SeLoadDriverPrivilege	3484	WMIC.exe
Token: SeSystemProfilePrivilege	3484	WMIC.exe
Token: SeSystemtimePrivilege	3484	WMIC.exe
Token: SeProfSingleProcessPrivilege	3484	WMIC.exe
Token: SeIncBasePriorityPrivilege	3484	WMIC.exe
Token: SeCreatePagefilePrivilege	3484	WMIC.exe
Token: SeBackupPrivilege	3484	WMIC.exe
Token: SeRestorePrivilege	3484	WMIC.exe
Token: SeShutdownPrivilege	3484	WMIC.exe
Token: SeDebugPrivilege	3484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3484	WMIC.exe
Token: SeRemoteShutdownPrivilege	3484	WMIC.exe
Token: SeUndockPrivilege	3484	WMIC.exe
Token: SeManageVolumePrivilege	3484	WMIC.exe
Token: 33	3484	WMIC.exe
Token: 34	3484	WMIC.exe
Token: 35	3484	WMIC.exe
Token: 36	3484	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2292	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	88
PID 4604 wrote to memory of 2292	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	88
PID 4604 wrote to memory of 2292	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	88
PID 4604 wrote to memory of 5084	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	89
PID 4604 wrote to memory of 5084	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	89
PID 4604 wrote to memory of 5084	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	89
PID 5084 wrote to memory of 176	5084	cmd.exe	91
PID 5084 wrote to memory of 176	5084	cmd.exe	91
PID 5084 wrote to memory of 176	5084	cmd.exe	91
PID 4604 wrote to memory of 224	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	92
PID 4604 wrote to memory of 224	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	92
PID 4604 wrote to memory of 224	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	92
PID 224 wrote to memory of 3432	224	cmd.exe	94
PID 224 wrote to memory of 3432	224	cmd.exe	94
PID 224 wrote to memory of 3432	224	cmd.exe	94
PID 224 wrote to memory of 3484	224	cmd.exe	95
PID 224 wrote to memory of 3484	224	cmd.exe	95
PID 224 wrote to memory of 3484	224	cmd.exe	95
PID 224 wrote to memory of 1492	224	cmd.exe	96
PID 224 wrote to memory of 1492	224	cmd.exe	96
PID 224 wrote to memory of 1492	224	cmd.exe	96
PID 224 wrote to memory of 1096	224	cmd.exe	97
PID 224 wrote to memory of 1096	224	cmd.exe	97
PID 224 wrote to memory of 1096	224	cmd.exe	97
PID 224 wrote to memory of 480	224	cmd.exe	98
PID 224 wrote to memory of 480	224	cmd.exe	98
PID 224 wrote to memory of 480	224	cmd.exe	98
PID 224 wrote to memory of 4724	224	cmd.exe	99
PID 224 wrote to memory of 4724	224	cmd.exe	99
PID 224 wrote to memory of 4724	224	cmd.exe	99
PID 224 wrote to memory of 3740	224	cmd.exe	100
PID 224 wrote to memory of 3740	224	cmd.exe	100
PID 224 wrote to memory of 3740	224	cmd.exe	100
PID 224 wrote to memory of 692	224	cmd.exe	101
PID 224 wrote to memory of 692	224	cmd.exe	101
PID 224 wrote to memory of 692	224	cmd.exe	101
PID 224 wrote to memory of 4712	224	cmd.exe	102
PID 224 wrote to memory of 4712	224	cmd.exe	102
PID 224 wrote to memory of 4712	224	cmd.exe	102
PID 224 wrote to memory of 2708	224	cmd.exe	103
PID 224 wrote to memory of 2708	224	cmd.exe	103
PID 224 wrote to memory of 2708	224	cmd.exe	103
PID 4604 wrote to memory of 3312	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	104
PID 4604 wrote to memory of 3312	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	104
PID 4604 wrote to memory of 3312	4604	d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe	104
PID 3312 wrote to memory of 1888	3312	cmd.exe	106
PID 3312 wrote to memory of 1888	3312	cmd.exe	106
PID 3312 wrote to memory of 1888	3312	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe
"C:\Users\Admin\AppData\Local\Temp\d2e5e5cd8dd235776167ac83d4e5b610e3af5544b23cfaaa534bc2266926740e.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\SysWOW64\vrvctl.ocx"
  2⤵
  PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc start vrvwatchserver
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\sc.exe
    sc start vrvwatchserver
    3⤵
    - Launches sc.exe
    PID:176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic process where "name='watchclient.exe' " call Terminate & wmic process where "name='vrvsafec.exe' " call Terminate & wmic process where "name='vrvsafec64.exe' " call Terminate & wmic process where "name='edpvistadlg.exe' " call Terminate & wmic process where "name='vrvedp_m.exe' " call Terminate & wmic process where "name='vrvrf_c.exe' " call Terminate & wmic process where "name='vrvrf_c64.exe' " call Terminate & wmic process where "name='edptrayicon.exe' " call Terminate & wmic process where "name='DLPTray.exe' " call Terminate & wmic process where "name='EdpXcltSkin.exe' " call Terminate exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='watchclient.exe' " call Terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='vrvsafec.exe' " call Terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='vrvsafec64.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:1492
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='edpvistadlg.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:1096
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='vrvedp_m.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:480
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='vrvrf_c.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:4724
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='vrvrf_c64.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:3740
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='edptrayicon.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:692
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='DLPTray.exe' " call Terminate
    3⤵
    - Kills process with WMI
    PID:4712
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where "name='EdpXcltSkin.exe' " call Terminate exit
    3⤵
    - Kills process with WMI
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc start vrvwatchserver
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\sc.exe
    sc start vrvwatchserver
    3⤵
    - Launches sc.exe
    PID:1888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/176-134-0x0000000000000000-mapping.dmp

Download
memory/224-135-0x0000000000000000-mapping.dmp

Download
memory/480-140-0x0000000000000000-mapping.dmp

Download
memory/692-143-0x0000000000000000-mapping.dmp

Download
memory/1096-139-0x0000000000000000-mapping.dmp

Download
memory/1492-138-0x0000000000000000-mapping.dmp

Download
memory/1888-147-0x0000000000000000-mapping.dmp

Download
memory/2292-132-0x0000000000000000-mapping.dmp

Download
memory/2708-145-0x0000000000000000-mapping.dmp

Download
memory/3312-146-0x0000000000000000-mapping.dmp

Download
memory/3432-136-0x0000000000000000-mapping.dmp

Download
memory/3484-137-0x0000000000000000-mapping.dmp

Download
memory/3740-142-0x0000000000000000-mapping.dmp

Download
memory/4712-144-0x0000000000000000-mapping.dmp

Download
memory/4724-141-0x0000000000000000-mapping.dmp

Download
memory/5084-133-0x0000000000000000-mapping.dmp

Download