eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
Size

8.6MB
MD5

4c54e81adec62a8fce08efc5639f782b
SHA1

0c584a7ac5a130bbc2288d8236da4232d39a26e0
SHA256

eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84
SHA512

dca3ef394f7dd3f33966e41606361eb32fd834b7f963c6746675cde4560cbbe75e68c5c48f1c9684de0debbf7f0ba01acb53698335e359b9cc163376a330fef4
SSDEEP

196608:EW+8TAznnl4O7xD4Vn+YivaMOw8K+d+Jm:EuTAzh7UitOw8/z

Score

8^/10

upx

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	vvBGd1.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231ec-7.dat	upx
behavioral2/files/0x00060000000231ec-12.dat	upx
behavioral2/memory/2020-13-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/files/0x00060000000231ec-17.dat	upx
behavioral2/memory/2020-56-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vvBGd1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vvBGd1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
2020	vvBGd1.exe
2020	vvBGd1.exe
2020	vvBGd1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 2020	3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe	86
PID 3208 wrote to memory of 2020	3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe	86
PID 3208 wrote to memory of 2020	3208	eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe	86
PID 2020 wrote to memory of 4292	2020	vvBGd1.exe	90
PID 2020 wrote to memory of 4292	2020	vvBGd1.exe	90
PID 2020 wrote to memory of 4292	2020	vvBGd1.exe	90

C:\Users\Admin\AppData\Local\Temp\eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe
"C:\Users\Admin\AppData\Local\Temp\eb0601803a1bfe18c47a11c6fb5ebf2ece40405573376b7ed605cc3e08051c84.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Public\Pictures\vvBGd1.exe
  "C:\Users\Public\Pictures\vvBGd1.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Pictures\Edge.jpg

Filesize
358KB

MD5
9bc193f51e3317b3afc959542c786551

SHA1
74c6005b964eb965bb3df2b7d2def4aee5256fe1

SHA256
862a5925169f9a3249e7027f13035329f3261d7324573b8308946662290f12f7

SHA512
fbece556b05bd4203c623bac2e48d7cc3df070a8125bd679b116d01703317111569e8dc13b954928d88fad78c58ceeea23a47fdf742f09f2acab9da44be61793

Download Submit
C:\Users\Public\Pictures\edge.xml

Filesize
53KB

MD5
5d68b57a4e626dc0b9087b2f89c7085a

SHA1
ecb5695eefcbb1b5403634781887e414b32c260a

SHA256
12703971ad336f3117a58a2998122f02d05d5ce625caf30da1d73bb3864f8211

SHA512
60af3cbe328eebdef08321635f3ae8ee8491ef10acaa859dd4326ff4a225173130bb0fe1ffb037fb96a087b1abd6350b6594322935c59cfc6b9ae1d5f0e418b3

Download Submit
C:\Users\Public\Pictures\vvBGd1.dat

Filesize
132KB

MD5
5dc78f35fdc69fa2b641eb35c8ad6222

SHA1
622297f23dbb020450943d5f5e3c0a7f68c818fa

SHA256
a938a94a661dd5c24963096c2caee767c530c850ada3680a0f68f4232da5f12c

SHA512
b991ec442017ade8347d556727f087e6182f0243f98645254c8193b62d0ee46f444c9f6fad4c83711554adde43b78dc44b4177d737caaf820976e40599a42816

Download Submit
C:\Users\Public\Pictures\vvBGd1.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Pictures\vvBGd1.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Pictures\vvBGd1.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
memory/2020-39-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2020-42-0x00000000037C0000-0x00000000037D2000-memory.dmp

Filesize
72KB

Download
memory/2020-13-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2020-44-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/2020-56-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download