Analysis Overview
SHA256
cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de
Threat Level: Known bad
The file Vuodneyx.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-27 07:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-27 07:47
Reported
2023-07-27 07:50
Platform
win7-20230712-en
Max time kernel
154s
Max time network
160s
Command Line
Signatures
BitRAT
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 1748 | N/A | C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe
"C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {15DB1C15-7A86-4FA8-8B11-1F970FD23B22} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:S4U:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
C:\Windows\system32\taskeng.exe
taskeng.exe {F9AC0FCB-5BFD-4814-AB3F-A9116DE7AF62} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
"C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 208.67.104.96:39001 | tcp | |
| NL | 208.67.104.96:80 | 208.67.104.96 | tcp |
| NL | 208.67.104.96:1234 | tcp |
Files
memory/2804-54-0x000000013F700000-0x000000013F7AA000-memory.dmp
memory/2804-55-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
memory/2804-56-0x000000001B900000-0x000000001B980000-memory.dmp
memory/2804-57-0x000000001B7C0000-0x000000001B8D0000-memory.dmp
memory/2804-58-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-59-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-61-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-63-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-65-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-67-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-69-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-73-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-71-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-77-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-79-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-75-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-81-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-83-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-85-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-87-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-89-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-91-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-93-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-95-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-97-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-99-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-101-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-103-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-105-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-107-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-109-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-111-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-113-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-115-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-117-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-121-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-119-0x000000001B7C0000-0x000000001B8CC000-memory.dmp
memory/2804-1112-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
memory/2804-1216-0x000000001B900000-0x000000001B980000-memory.dmp
memory/2804-2968-0x000000001AAF0000-0x000000001AB46000-memory.dmp
memory/2804-2969-0x0000000002320000-0x000000000236C000-memory.dmp
memory/2804-2970-0x000000001AF80000-0x000000001AFD4000-memory.dmp
memory/2804-2972-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
memory/1976-2977-0x0000000019E20000-0x000000001A102000-memory.dmp
memory/1976-2978-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp
memory/1976-2979-0x0000000001490000-0x0000000001510000-memory.dmp
memory/1976-2980-0x0000000001490000-0x0000000001510000-memory.dmp
memory/1976-2981-0x0000000001490000-0x0000000001510000-memory.dmp
memory/1976-2983-0x0000000000E50000-0x0000000000E58000-memory.dmp
memory/1976-2982-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp
memory/1976-2984-0x0000000001490000-0x0000000001510000-memory.dmp
memory/1976-2985-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp
C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
| MD5 | f07259a0cd92a6c0640ff1acd0d1a54d |
| SHA1 | 270cc877c9b6571ec2b5c593dfba4f8ea4c5c966 |
| SHA256 | cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de |
| SHA512 | 6d134f7121ebc3b4a53164c1be21b5428dad5c3dd24336398a9e07c933ca42387f498e93beeb61c9274683e497a781839a5b97404f14c3cfe1363e09b1116f28 |
\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
| MD5 | f07259a0cd92a6c0640ff1acd0d1a54d |
| SHA1 | 270cc877c9b6571ec2b5c593dfba4f8ea4c5c966 |
| SHA256 | cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de |
| SHA512 | 6d134f7121ebc3b4a53164c1be21b5428dad5c3dd24336398a9e07c933ca42387f498e93beeb61c9274683e497a781839a5b97404f14c3cfe1363e09b1116f28 |
C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
| MD5 | f07259a0cd92a6c0640ff1acd0d1a54d |
| SHA1 | 270cc877c9b6571ec2b5c593dfba4f8ea4c5c966 |
| SHA256 | cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de |
| SHA512 | 6d134f7121ebc3b4a53164c1be21b5428dad5c3dd24336398a9e07c933ca42387f498e93beeb61c9274683e497a781839a5b97404f14c3cfe1363e09b1116f28 |
memory/1948-2990-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp
memory/1948-2991-0x000000013FF80000-0x000000014002A000-memory.dmp
memory/1948-2997-0x00000000024B0000-0x0000000002530000-memory.dmp
memory/1948-4453-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp
memory/1948-4753-0x00000000024B0000-0x0000000002530000-memory.dmp
memory/1948-5903-0x0000000000830000-0x0000000000884000-memory.dmp
memory/1948-5904-0x00000000024B0000-0x0000000002530000-memory.dmp
memory/1948-5913-0x00000000024B0000-0x0000000002530000-memory.dmp
memory/1948-5916-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp
memory/1748-5917-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp
memory/1748-5918-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/1748-5919-0x0000000000140000-0x00000000001C0000-memory.dmp
memory/1748-7115-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp
memory/1748-7178-0x0000000000140000-0x00000000001C0000-memory.dmp
memory/1748-8830-0x0000000000140000-0x00000000001C0000-memory.dmp
memory/1748-8831-0x0000000000140000-0x00000000001C0000-memory.dmp
memory/1748-8832-0x0000000000140000-0x00000000001C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
| MD5 | 441dedecb2564b6df1ad2942958636c4 |
| SHA1 | 33c91b6ebe8578d28ead35ff25d928285eeabd2f |
| SHA256 | 91e3e2bf786f5f441fc7461e98a55de547152edab9c95d38e230ac32c64e7a16 |
| SHA512 | 3daa070ca3be0edacc3927413ae05d390b8e1f78d0a6aedacf169eacbc794f342fa1ec2dfca10bd4ee2c273ac99cfae8d515d1e1eabea48a2beed4218115da22 |
C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
| MD5 | 441dedecb2564b6df1ad2942958636c4 |
| SHA1 | 33c91b6ebe8578d28ead35ff25d928285eeabd2f |
| SHA256 | 91e3e2bf786f5f441fc7461e98a55de547152edab9c95d38e230ac32c64e7a16 |
| SHA512 | 3daa070ca3be0edacc3927413ae05d390b8e1f78d0a6aedacf169eacbc794f342fa1ec2dfca10bd4ee2c273ac99cfae8d515d1e1eabea48a2beed4218115da22 |
memory/1748-8840-0x0000000000140000-0x00000000001C0000-memory.dmp
memory/1748-8841-0x0000000000140000-0x00000000001C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
| MD5 | 441dedecb2564b6df1ad2942958636c4 |
| SHA1 | 33c91b6ebe8578d28ead35ff25d928285eeabd2f |
| SHA256 | 91e3e2bf786f5f441fc7461e98a55de547152edab9c95d38e230ac32c64e7a16 |
| SHA512 | 3daa070ca3be0edacc3927413ae05d390b8e1f78d0a6aedacf169eacbc794f342fa1ec2dfca10bd4ee2c273ac99cfae8d515d1e1eabea48a2beed4218115da22 |
memory/2696-8843-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2696-8844-0x00000000003F0000-0x00000000003FA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-27 07:47
Reported
2023-07-27 07:49
Platform
win10v2004-20230703-en
Max time kernel
33s
Max time network
84s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe
"C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.240.110.104.in-addr.arpa | udp |
Files
memory/2432-133-0x000001EEF7A80000-0x000001EEF7B2A000-memory.dmp
memory/2432-134-0x00007FFE8AFF0000-0x00007FFE8BAB1000-memory.dmp
memory/2432-135-0x000001EEF9720000-0x000001EEF9730000-memory.dmp
memory/2432-136-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-137-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-139-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-141-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-143-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-145-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-147-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-149-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-151-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-153-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-155-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-157-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-159-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-161-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-163-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-165-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-167-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-169-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-171-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-173-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-175-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-177-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-179-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-181-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-183-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-185-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-187-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-189-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-191-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-193-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-195-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-197-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-199-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp
memory/2432-735-0x00007FFE8AFF0000-0x00007FFE8BAB1000-memory.dmp
memory/2432-919-0x000001EEF9720000-0x000001EEF9730000-memory.dmp
memory/2432-3048-0x00007FFE8AFF0000-0x00007FFE8BAB1000-memory.dmp