84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Size

536KB
MD5

74bcc42a4bb2f206d76f562d21bb2284
SHA1

355dbb36f5088ba5ebd2fb2e84f2ff2f4cfa46eb
SHA256

84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c
SHA512

43a42aefe9f79e1f5a5983f0e9aea87b388a293322ad9701ffef99aa93759ac8d1a94a921dc6f0cee96b3fd3ef10d9cde4fd3569b04480fd7c6568401025e02e
SSDEEP

12288:xhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:xdQyDLzJTveuK0/Okx2LF

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3120 created 596	3120	Explorer.EXE	78

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\lq1hGbIM.sys	ROUTE.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe

Executes dropped EXE 1 IoCs

pid	Process
4652	ROUTE.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/816-0-0x00000000001A0000-0x00000000002A2000-memory.dmp	upx
behavioral2/memory/816-19-0x00000000001A0000-0x00000000002A2000-memory.dmp	upx
behavioral2/memory/816-35-0x00000000001A0000-0x00000000002A2000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\CCHJN0eH.sys	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	ROUTE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	ROUTE.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\df860	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
File created	C:\Windows\b2gxja.sys	ROUTE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ROUTE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ROUTE.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4292	timeout.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ROUTE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ROUTE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ROUTE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ROUTE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ROUTE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ROUTE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ROUTE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ROUTE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ROUTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
3120	Explorer.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE
4652	ROUTE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeTcbPrivilege	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeDebugPrivilege	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeDebugPrivilege	3120	Explorer.EXE
Token: SeTcbPrivilege	3120	Explorer.EXE
Token: SeDebugPrivilege	3120	Explorer.EXE
Token: SeDebugPrivilege	3120	Explorer.EXE
Token: SeDebugPrivilege	3120	Explorer.EXE
Token: SeDebugPrivilege	3120	Explorer.EXE
Token: SeIncBasePriorityPrivilege	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeDebugPrivilege	4652	ROUTE.EXE
Token: SeDebugPrivilege	4652	ROUTE.EXE
Token: SeDebugPrivilege	4652	ROUTE.EXE
Token: SeShutdownPrivilege	3120	Explorer.EXE
Token: SeCreatePagefilePrivilege	3120	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 3120	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	35
PID 816 wrote to memory of 3120	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	35
PID 816 wrote to memory of 3120	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	35
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 4652	3120	Explorer.EXE	86
PID 3120 wrote to memory of 596	3120	Explorer.EXE	78
PID 3120 wrote to memory of 596	3120	Explorer.EXE	78
PID 3120 wrote to memory of 596	3120	Explorer.EXE	78
PID 3120 wrote to memory of 596	3120	Explorer.EXE	78
PID 3120 wrote to memory of 596	3120	Explorer.EXE	78
PID 816 wrote to memory of 3516	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	89
PID 816 wrote to memory of 3516	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	89
PID 816 wrote to memory of 3516	816	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	89
PID 3516 wrote to memory of 4292	3516	cmd.exe	91
PID 3516 wrote to memory of 4292	3516	cmd.exe	91
PID 3516 wrote to memory of 4292	3516	cmd.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
  "C:\Users\Admin\AppData\Local\Temp\84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4292

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\ProgramData\Microsoft\ROUTE.EXE
  "C:\ProgramData\Microsoft\ROUTE.EXE"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ROUTE.EXE

Filesize
24KB

MD5
3c97e63423e527ba8381e81cba00b8cd

SHA1
dc9ecd7e9ff4a4675c977a418bf1bb562c34c890

SHA256
b8a28aeb6345ca88b04ff3d9fadf30eacf26958c991bd8e4fb1df12a68f60eae

SHA512
e202d2202632a40423c339be2eabd6430b3ea07a744fef536c555a3c083a678e8e2e03b8ca95e19198ce744c33fbdfbc4db050c6738c5837a8675bcdf203cfdd

Download Submit
C:\ProgramData\Microsoft\ROUTE.EXE

Filesize
24KB

MD5
3c97e63423e527ba8381e81cba00b8cd

SHA1
dc9ecd7e9ff4a4675c977a418bf1bb562c34c890

SHA256
b8a28aeb6345ca88b04ff3d9fadf30eacf26958c991bd8e4fb1df12a68f60eae

SHA512
e202d2202632a40423c339be2eabd6430b3ea07a744fef536c555a3c083a678e8e2e03b8ca95e19198ce744c33fbdfbc4db050c6738c5837a8675bcdf203cfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8347cabd.tmp

Filesize
14.5MB

MD5
6697f78c0dffa2e0b851046aaf272101

SHA1
b91aeb9e6d4d99778a4fe27da2457cdb321e8bfe

SHA256
354b9545fbb292faea96eadbef7c85caf0f6f72b915e567044833fdfc2b923f0

SHA512
fd5d44c6aa0c791e77bfec1436e810b1ef6cd1c92937faa060b6688b5dd4a47268189639e628e2fed8ce57ad04b0e816f18b16d2a3e69e60cbd16049948766d4

Download Submit
memory/596-28-0x0000024280D10000-0x0000024280D38000-memory.dmp

Filesize
160KB

Download
memory/596-65-0x0000024280D50000-0x0000024280D51000-memory.dmp

Filesize
4KB

Download
memory/816-19-0x00000000001A0000-0x00000000002A2000-memory.dmp

Filesize
1.0MB

Download
memory/816-35-0x00000000001A0000-0x00000000002A2000-memory.dmp

Filesize
1.0MB

Download
memory/816-0-0x00000000001A0000-0x00000000002A2000-memory.dmp

Filesize
1.0MB

Download
memory/3120-11-0x0000000009070000-0x0000000009169000-memory.dmp

Filesize
996KB

Download
memory/3120-4-0x0000000002790000-0x0000000002793000-memory.dmp

Filesize
12KB

Download
memory/3120-3-0x0000000002790000-0x0000000002793000-memory.dmp

Filesize
12KB

Download
memory/3120-12-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/3120-46-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/3120-9-0x00000000030D0000-0x00000000030D3000-memory.dmp

Filesize
12KB

Download
memory/3120-26-0x00000000033B0000-0x0000000003429000-memory.dmp

Filesize
484KB

Download
memory/3120-7-0x0000000002790000-0x0000000002793000-memory.dmp

Filesize
12KB

Download
memory/3120-6-0x00000000033B0000-0x0000000003429000-memory.dmp

Filesize
484KB

Download
memory/3120-42-0x0000000009070000-0x0000000009169000-memory.dmp

Filesize
996KB

Download
memory/4652-17-0x000001D837C60000-0x000001D837C63000-memory.dmp

Filesize
12KB

Download
memory/4652-71-0x000001D839E00000-0x000001D839E02000-memory.dmp

Filesize
8KB

Download
memory/4652-54-0x000001D838000000-0x000001D838001000-memory.dmp

Filesize
4KB

Download
memory/4652-64-0x00007FF8A5A60000-0x00007FF8A5A70000-memory.dmp

Filesize
64KB

Download
memory/4652-22-0x00007FF8A5A60000-0x00007FF8A5A70000-memory.dmp

Filesize
64KB

Download
memory/4652-66-0x000001D839E00000-0x000001D839E01000-memory.dmp

Filesize
4KB

Download
memory/4652-67-0x000001D839DF0000-0x000001D839DF1000-memory.dmp

Filesize
4KB

Download
memory/4652-68-0x000001D839E00000-0x000001D839E01000-memory.dmp

Filesize
4KB

Download
memory/4652-69-0x000001D83A800000-0x000001D83A9C5000-memory.dmp

Filesize
1.8MB

Download
memory/4652-53-0x000001D837EE0000-0x000001D837FAB000-memory.dmp

Filesize
812KB

Download
memory/4652-70-0x000001D839E10000-0x000001D839E11000-memory.dmp

Filesize
4KB

Download
memory/4652-72-0x000001D839E00000-0x000001D839E01000-memory.dmp

Filesize
4KB

Download
memory/4652-73-0x000001D839E60000-0x000001D839E61000-memory.dmp

Filesize
4KB

Download
memory/4652-74-0x000001D839E10000-0x000001D839E11000-memory.dmp

Filesize
4KB

Download
memory/4652-23-0x000001D838000000-0x000001D838001000-memory.dmp

Filesize
4KB

Download
memory/4652-76-0x000001D83A800000-0x000001D83A9C5000-memory.dmp

Filesize
1.8MB

Download
memory/4652-77-0x000001D839E00000-0x000001D839E02000-memory.dmp

Filesize
8KB

Download
memory/4652-78-0x000001D839E60000-0x000001D839E61000-memory.dmp

Filesize
4KB

Download
memory/4652-21-0x000001D837EE0000-0x000001D837FAB000-memory.dmp

Filesize
812KB

Download