Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2023 10:50
Behavioral task
behavioral1
Sample
1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe
Resource
win7-20230831-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe
-
Size
271KB
-
MD5
eb6c2b720bf1204827e513af9b93fc04
-
SHA1
da49da66e4d4ce6a9c656f821eaed25ad599f772
-
SHA256
1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b
-
SHA512
e8e1723052346d31abb701b87b8deedb002fe42bc899d99efd040f13ee6e4b2516ee6f193ae7bb130280bf18ac959a29073245024256d87562aaa14ef5b5d649
-
SSDEEP
6144:/l51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa:xqXUHkUXe3GOkx2LIa
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3212 created 608 3212 Explorer.EXE 5 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\7lDdXAj.sys getmac.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe -
Executes dropped EXE 2 IoCs
pid Process 2256 eda5f540 1836 getmac.exe -
resource yara_rule behavioral2/memory/1404-0-0x0000000000EF0000-0x0000000000F79000-memory.dmp upx behavioral2/files/0x00070000000231cd-2.dat upx behavioral2/files/0x00070000000231cd-4.dat upx behavioral2/memory/2256-3-0x0000000000080000-0x0000000000109000-memory.dmp upx behavioral2/memory/1404-9-0x0000000000EF0000-0x0000000000F79000-memory.dmp upx behavioral2/memory/2256-27-0x0000000000080000-0x0000000000109000-memory.dmp upx behavioral2/memory/1404-39-0x0000000000EF0000-0x0000000000F79000-memory.dmp upx behavioral2/memory/2256-64-0x0000000000080000-0x0000000000109000-memory.dmp upx behavioral2/memory/2256-69-0x0000000000080000-0x0000000000109000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 26 IoCs
description ioc Process File created C:\Windows\SysWOW64\eda5f540 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 eda5f540 File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 getmac.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies eda5f540 File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 getmac.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E eda5f540 File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B getmac.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A eda5f540 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 eda5f540 File created C:\Windows\system32\ \Windows\System32\I9C6biL.sys getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 getmac.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 getmac.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E eda5f540 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\getmac.exe Explorer.EXE File opened for modification C:\Program Files\getmac.exe Explorer.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\269fa0 eda5f540 File created C:\Windows\nbxZbS4I.sys getmac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 getmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 getmac.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName getmac.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3176 timeout.exe 8 timeout.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix getmac.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" getmac.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" getmac.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" getmac.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing getmac.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" eda5f540 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing eda5f540 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" eda5f540 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" getmac.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" getmac.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ eda5f540 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" eda5f540 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" eda5f540 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ getmac.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix eda5f540 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" eda5f540 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" eda5f540 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" getmac.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 2256 eda5f540 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 2256 eda5f540 2256 eda5f540 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe 1836 getmac.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3212 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 668 Process not Found 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 1404 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe Token: SeTcbPrivilege 1404 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe Token: SeDebugPrivilege 2256 eda5f540 Token: SeTcbPrivilege 2256 eda5f540 Token: SeDebugPrivilege 2256 eda5f540 Token: SeDebugPrivilege 3212 Explorer.EXE Token: SeDebugPrivilege 3212 Explorer.EXE Token: SeDebugPrivilege 2256 eda5f540 Token: SeIncBasePriorityPrivilege 1404 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe Token: SeDebugPrivilege 1836 getmac.exe Token: SeDebugPrivilege 1836 getmac.exe Token: SeDebugPrivilege 1836 getmac.exe Token: SeShutdownPrivilege 3212 Explorer.EXE Token: SeCreatePagefilePrivilege 3212 Explorer.EXE Token: SeIncBasePriorityPrivilege 2256 eda5f540 -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3212 Explorer.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2256 wrote to memory of 3212 2256 eda5f540 61 PID 2256 wrote to memory of 3212 2256 eda5f540 61 PID 2256 wrote to memory of 3212 2256 eda5f540 61 PID 2256 wrote to memory of 3212 2256 eda5f540 61 PID 2256 wrote to memory of 3212 2256 eda5f540 61 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 3212 wrote to memory of 1836 3212 Explorer.EXE 91 PID 2256 wrote to memory of 608 2256 eda5f540 5 PID 2256 wrote to memory of 608 2256 eda5f540 5 PID 2256 wrote to memory of 608 2256 eda5f540 5 PID 2256 wrote to memory of 608 2256 eda5f540 5 PID 2256 wrote to memory of 608 2256 eda5f540 5 PID 1404 wrote to memory of 2572 1404 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe 96 PID 1404 wrote to memory of 2572 1404 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe 96 PID 1404 wrote to memory of 2572 1404 1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe 96 PID 2572 wrote to memory of 3176 2572 cmd.exe 98 PID 2572 wrote to memory of 3176 2572 cmd.exe 98 PID 2572 wrote to memory of 3176 2572 cmd.exe 98 PID 2256 wrote to memory of 3192 2256 eda5f540 102 PID 2256 wrote to memory of 3192 2256 eda5f540 102 PID 2256 wrote to memory of 3192 2256 eda5f540 102 PID 3192 wrote to memory of 8 3192 cmd.exe 103 PID 3192 wrote to memory of 8 3192 cmd.exe 103 PID 3192 wrote to memory of 8 3192 cmd.exe 103
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Program Files\getmac.exe"C:\Program Files\getmac.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:3176
-
-
-
-
C:\Windows\Syswow64\eda5f540C:\Windows\Syswow64\eda5f5401⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\eda5f540"2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:8
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD57d4b72dff5b8e98dd1351a401e402c33
SHA140810fb6eee8856b1884ecb528c88b97e447c5d8
SHA256467ce33b5145c6e71499f32139f14d81b47c38f11dca26b330367add263dba12
SHA5125a26e5e22ad1005e67f6b66187df4e6f75f1b611b2c8d615af34bd61e94fd48fc64b606e7c43d608d112096c7bbaa8fddfc8a9acb603ab137e71d85783b98fd5
-
Filesize
88KB
MD57d4b72dff5b8e98dd1351a401e402c33
SHA140810fb6eee8856b1884ecb528c88b97e447c5d8
SHA256467ce33b5145c6e71499f32139f14d81b47c38f11dca26b330367add263dba12
SHA5125a26e5e22ad1005e67f6b66187df4e6f75f1b611b2c8d615af34bd61e94fd48fc64b606e7c43d608d112096c7bbaa8fddfc8a9acb603ab137e71d85783b98fd5
-
Filesize
11.6MB
MD55244c87dbafa1f764b258766005dea73
SHA184cb8b4fb3e0910cfecfb31b6fa54c16d940e703
SHA256077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40
SHA51254d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438
-
Filesize
271KB
MD552f24bd4d3d617057481e5d25f34fbed
SHA118328882cc8204ab3842f4264983a98963f8b11e
SHA256b1874596a33641cd412dd227c45f9c2b38208ace88af44af95cd8e402cac705c
SHA512033f6b83f0a6446fd35cccffc2430375014ff11e75b8969e3f8a7b0e384b653dba93a1e16bf48907d5e1d840261388c4048b8e64e0fd7ba96fece67c65c096cf
-
Filesize
271KB
MD552f24bd4d3d617057481e5d25f34fbed
SHA118328882cc8204ab3842f4264983a98963f8b11e
SHA256b1874596a33641cd412dd227c45f9c2b38208ace88af44af95cd8e402cac705c
SHA512033f6b83f0a6446fd35cccffc2430375014ff11e75b8969e3f8a7b0e384b653dba93a1e16bf48907d5e1d840261388c4048b8e64e0fd7ba96fece67c65c096cf