Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2023 11:35
Behavioral task
behavioral1
Sample
b66f351c35212c7a265272d27aa09656.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b66f351c35212c7a265272d27aa09656.exe
Resource
win10v2004-20230703-en
General
-
Target
b66f351c35212c7a265272d27aa09656.exe
-
Size
4.4MB
-
MD5
b66f351c35212c7a265272d27aa09656
-
SHA1
c2994b2969f315b189a151d545b35a2c8ed6a2f9
-
SHA256
ba4c8e065f601de46ae7844e81921c68726d09345f3db13fb6e3f5ea2d413dde
-
SHA512
82ac249a9024085be3bd071682d15054696b0cd61a8b8a85d77c7ff4cd7703124ab07a3446b1b7b69015b5a30643f88030bef908644c88256d1784f992207fcb
-
SSDEEP
98304:sParA5bJxdz0l3YIMFQxMKsVCyGPPUpGieNjBVTRB7OQ8TZMQ7caYS3u:6a6rwlLSQxMKeiVRpSnYvIu
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4776-133-0x00007FF71D4F0000-0x00007FF71E101000-memory.dmp upx behavioral2/memory/4776-147-0x00007FF71D4F0000-0x00007FF71E101000-memory.dmp upx -
Executes dropped EXE 1 IoCs
Processes:
nPandaVPN.exepid process 3360 nPandaVPN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b66f351c35212c7a265272d27aa09656.exepid process 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe 4776 b66f351c35212c7a265272d27aa09656.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b66f351c35212c7a265272d27aa09656.exenotepad.exedescription pid process Token: SeDebugPrivilege 4776 b66f351c35212c7a265272d27aa09656.exe Token: SeDebugPrivilege 1684 notepad.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b66f351c35212c7a265272d27aa09656.execmd.exedescription pid process target process PID 4776 wrote to memory of 2548 4776 b66f351c35212c7a265272d27aa09656.exe cmd.exe PID 4776 wrote to memory of 2548 4776 b66f351c35212c7a265272d27aa09656.exe cmd.exe PID 2548 wrote to memory of 3360 2548 cmd.exe nPandaVPN.exe PID 2548 wrote to memory of 3360 2548 cmd.exe nPandaVPN.exe PID 2548 wrote to memory of 3360 2548 cmd.exe nPandaVPN.exe PID 4776 wrote to memory of 1684 4776 b66f351c35212c7a265272d27aa09656.exe notepad.exe PID 4776 wrote to memory of 1684 4776 b66f351c35212c7a265272d27aa09656.exe notepad.exe PID 4776 wrote to memory of 1684 4776 b66f351c35212c7a265272d27aa09656.exe notepad.exe PID 4776 wrote to memory of 1684 4776 b66f351c35212c7a265272d27aa09656.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b66f351c35212c7a265272d27aa09656.exe"C:\Users\Admin\AppData\Local\Temp\b66f351c35212c7a265272d27aa09656.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\cmd.execmd /C nPandaVPN.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exenPandaVPN.exe3⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c83323d126469b0eaab04876edd391a3
SHA1dc9b1aeb0535cc30eff5f298e81de1476ec8e02a
SHA256318f8b901a0c9226f41409e97c4167cdf1836508f969ab13b8e004b4f6c9caac
SHA512edde3c33d83b5ba1d527073afbf99568737a82d1142003b7163d5c037e536761a7472b0245a85e0dcab9c89790a82a7470a57b2f1829e75875a92b8495825487
-
Filesize
2.1MB
MD5c83323d126469b0eaab04876edd391a3
SHA1dc9b1aeb0535cc30eff5f298e81de1476ec8e02a
SHA256318f8b901a0c9226f41409e97c4167cdf1836508f969ab13b8e004b4f6c9caac
SHA512edde3c33d83b5ba1d527073afbf99568737a82d1142003b7163d5c037e536761a7472b0245a85e0dcab9c89790a82a7470a57b2f1829e75875a92b8495825487