da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9

Resubmissions

01/03/2023, 08:46

230301-kpllzafd87 7

22/01/2022, 00:21

220122-anv4xaefc3 8

Analysis

max time kernel
498s
max time network
501s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe
Size

638KB
MD5

04dc04a1a61769f33b234ad0f19fdc53
SHA1

4619b2ed9fec98ad39785fda34c37811b5a14dcc
SHA256

da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9
SHA512

2cd5e3845a93a801581b17d7abec5145e034bd832b8fff0e3aafbccd2e02349dc35a81584dc8c82c15c666841ee707ffd9bcdcc1eaff31f7c81d566a433118f1
SSDEEP

12288:S/ob76UD3fHwsh6qyJdrFLneBF7u9GuaE5Sla90ppGQs//1r2NoGnC/7uc:S/a76UbIshqrlnQF7aGuHj9WMQs316iD

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe

Executes dropped EXE 1 IoCs

pid	Process
264	factory.exe

Loads dropped DLL 1 IoCs

pid	Process
264	factory.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3112-133-0x0000000000240000-0x000000000036D000-memory.dmp	upx
behavioral2/memory/3112-135-0x0000000000240000-0x000000000036D000-memory.dmp	upx
behavioral2/files/0x000600000002315a-146.dat	upx
behavioral2/files/0x000600000002315a-161.dat	upx
behavioral2/files/0x000600000002315a-162.dat	upx
behavioral2/memory/264-163-0x0000000074200000-0x000000007427C000-memory.dmp	upx
behavioral2/memory/3112-165-0x0000000000240000-0x000000000036D000-memory.dmp	upx
behavioral2/memory/264-164-0x0000000074200000-0x000000007427C000-memory.dmp	upx
behavioral2/memory/264-167-0x0000000074200000-0x000000007427C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 264	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe	85
PID 3112 wrote to memory of 264	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe	85
PID 3112 wrote to memory of 264	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe	85
PID 3112 wrote to memory of 4204	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe	86
PID 3112 wrote to memory of 4204	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe	86
PID 3112 wrote to memory of 4204	3112	da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe	86

C:\Users\Admin\AppData\Local\Temp\da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe
"C:\Users\Admin\AppData\Local\Temp\da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DA29FF~1.EXE > nul
  2⤵
  PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.dll

Filesize
242KB

MD5
dee54d45b64fc48e35c80962fb44f73f

SHA1
e9b6e00e5240942d97a595829f0f10f8e77784d6

SHA256
beb9ecc06e1e753224511a52ab36bf7144d2cbbf0d0fcfdb5962897a4c91d861

SHA512
b884d05fcb489d29f1337b6f5f1149111bbf5f90372cda108158ad2509099f6bf89717297c42facab19beda0f1c9e715a2ad3a3bfc3e48e2fee3cb7c06b86286

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.dll

Filesize
242KB

MD5
dee54d45b64fc48e35c80962fb44f73f

SHA1
e9b6e00e5240942d97a595829f0f10f8e77784d6

SHA256
beb9ecc06e1e753224511a52ab36bf7144d2cbbf0d0fcfdb5962897a4c91d861

SHA512
b884d05fcb489d29f1337b6f5f1149111bbf5f90372cda108158ad2509099f6bf89717297c42facab19beda0f1c9e715a2ad3a3bfc3e48e2fee3cb7c06b86286

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.exe

Filesize
14KB

MD5
5e95e6131ff0e79ad5df107db915760c

SHA1
5c3370b98798aab405c724250ab543291fed2fb2

SHA256
059ceeede58369f41c5090cc2eb264098ad0a0fd41b14a166e743de41e56f7cf

SHA512
07c6cb9faa40b0db3f80bb952a1a4cacdb97025a4c96add3fb67a692c6e8ef4fe19f0eb9727fa019431abd7892f9053662fcf61bf21df65a0630f0af563dda32

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.exe

Filesize
14KB

MD5
5e95e6131ff0e79ad5df107db915760c

SHA1
5c3370b98798aab405c724250ab543291fed2fb2

SHA256
059ceeede58369f41c5090cc2eb264098ad0a0fd41b14a166e743de41e56f7cf

SHA512
07c6cb9faa40b0db3f80bb952a1a4cacdb97025a4c96add3fb67a692c6e8ef4fe19f0eb9727fa019431abd7892f9053662fcf61bf21df65a0630f0af563dda32

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\factory.exe

Filesize
14KB

MD5
5e95e6131ff0e79ad5df107db915760c

SHA1
5c3370b98798aab405c724250ab543291fed2fb2

SHA256
059ceeede58369f41c5090cc2eb264098ad0a0fd41b14a166e743de41e56f7cf

SHA512
07c6cb9faa40b0db3f80bb952a1a4cacdb97025a4c96add3fb67a692c6e8ef4fe19f0eb9727fa019431abd7892f9053662fcf61bf21df65a0630f0af563dda32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_240552203__.tmp

Filesize
242KB

MD5
dee54d45b64fc48e35c80962fb44f73f

SHA1
e9b6e00e5240942d97a595829f0f10f8e77784d6

SHA256
beb9ecc06e1e753224511a52ab36bf7144d2cbbf0d0fcfdb5962897a4c91d861

SHA512
b884d05fcb489d29f1337b6f5f1149111bbf5f90372cda108158ad2509099f6bf89717297c42facab19beda0f1c9e715a2ad3a3bfc3e48e2fee3cb7c06b86286

Download Submit
memory/264-163-0x0000000074200000-0x000000007427C000-memory.dmp

Filesize
496KB

Download
memory/264-164-0x0000000074200000-0x000000007427C000-memory.dmp

Filesize
496KB

Download
memory/264-167-0x0000000074200000-0x000000007427C000-memory.dmp

Filesize
496KB

Download
memory/3112-133-0x0000000000240000-0x000000000036D000-memory.dmp

Filesize
1.2MB

Download
memory/3112-135-0x0000000000240000-0x000000000036D000-memory.dmp

Filesize
1.2MB

Download
memory/3112-165-0x0000000000240000-0x000000000036D000-memory.dmp

Filesize
1.2MB

Download