Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2023 00:40
Behavioral task
behavioral1
Sample
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe
Resource
win7-20230831-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe
-
Size
2.8MB
-
MD5
b4358bc395a84f175e3a04ac0eced298
-
SHA1
9b33ffd40b48b86c63fdc288091d5a1f7364841e
-
SHA256
7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d
-
SHA512
5dfa5e99108d7404274f353ad0c34dfcb20b9655e976bf78dca7431b3022374d405d4f8a7dd5ef196424fd43629fe97c47d58d581e704ed15589fb61286b941b
-
SSDEEP
49152:MTGkQd5QZuTtS0rQMYOQ+q8CEpTG4QrTGHQC9KFeM6:MKkuWsM0r1QnuK4aKHZ0FeX
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\9Ysge8pG3.sys xwizard.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe -
Executes dropped EXE 2 IoCs
pid Process 4668 1df9df31 1408 xwizard.exe -
resource yara_rule behavioral2/memory/5100-0-0x00000000007F0000-0x0000000000879000-memory.dmp upx behavioral2/files/0x0008000000022cc4-2.dat upx behavioral2/files/0x0008000000022cc4-4.dat upx behavioral2/memory/4668-3-0x0000000000740000-0x00000000007C9000-memory.dmp upx behavioral2/memory/5100-29-0x00000000007F0000-0x0000000000879000-memory.dmp upx behavioral2/memory/5100-31-0x00000000007F0000-0x0000000000879000-memory.dmp upx behavioral2/memory/4668-38-0x0000000000740000-0x00000000007C9000-memory.dmp upx behavioral2/memory/4668-66-0x0000000000740000-0x00000000007C9000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\SysWOW64\1df9df31 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 1df9df31 File created C:\Windows\system32\ \Windows\System32\3miUfqG.sys xwizard.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 1df9df31 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 1df9df31 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\4feaf8 1df9df31 File created C:\Windows\iH79Vzu.sys xwizard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName xwizard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 xwizard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 xwizard.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1424 timeout.exe 228 timeout.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\New Windows\Allow xwizard.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com xwizard.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 1df9df31 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 1df9df31 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 1df9df31 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 1df9df31 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 1df9df31 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 1df9df31 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 1df9df31 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 1df9df31 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 1df9df31 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 4668 1df9df31 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 4668 1df9df31 4668 1df9df31 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 5100 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeTcbPrivilege 5100 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeDebugPrivilege 4668 1df9df31 Token: SeTcbPrivilege 4668 1df9df31 Token: SeDebugPrivilege 4668 1df9df31 Token: SeDebugPrivilege 3180 Explorer.EXE Token: SeDebugPrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeIncBasePriorityPrivilege 5100 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe Token: SeDebugPrivilege 4668 1df9df31 Token: SeDebugPrivilege 1408 xwizard.exe Token: SeDebugPrivilege 1408 xwizard.exe Token: SeDebugPrivilege 1408 xwizard.exe Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeIncBasePriorityPrivilege 4668 1df9df31 Token: SeDebugPrivilege 1408 xwizard.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe 1408 xwizard.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1408 xwizard.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3180 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4668 wrote to memory of 3180 4668 1df9df31 45 PID 4668 wrote to memory of 3180 4668 1df9df31 45 PID 4668 wrote to memory of 3180 4668 1df9df31 45 PID 4668 wrote to memory of 3180 4668 1df9df31 45 PID 4668 wrote to memory of 3180 4668 1df9df31 45 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 3180 wrote to memory of 1408 3180 Explorer.EXE 92 PID 4668 wrote to memory of 608 4668 1df9df31 6 PID 4668 wrote to memory of 608 4668 1df9df31 6 PID 4668 wrote to memory of 608 4668 1df9df31 6 PID 4668 wrote to memory of 608 4668 1df9df31 6 PID 4668 wrote to memory of 608 4668 1df9df31 6 PID 5100 wrote to memory of 4828 5100 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 95 PID 5100 wrote to memory of 4828 5100 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 95 PID 5100 wrote to memory of 4828 5100 7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe 95 PID 4828 wrote to memory of 1424 4828 cmd.exe 97 PID 4828 wrote to memory of 1424 4828 cmd.exe 97 PID 4828 wrote to memory of 1424 4828 cmd.exe 97 PID 4668 wrote to memory of 2440 4668 1df9df31 99 PID 4668 wrote to memory of 2440 4668 1df9df31 99 PID 4668 wrote to memory of 2440 4668 1df9df31 99 PID 2440 wrote to memory of 228 2440 cmd.exe 101 PID 2440 wrote to memory of 228 2440 cmd.exe 101 PID 2440 wrote to memory of 228 2440 cmd.exe 101 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45 PID 1408 wrote to memory of 3180 1408 xwizard.exe 45
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe"C:\Users\Admin\AppData\Local\Temp\7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\7a56063708e77bdd6eae6eb84bea0a7fdb884017f6aac70826b29724acbf362d.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1424
-
-
-
-
C:\xwizard.exe"C:\xwizard.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408
-
-
C:\Windows\Syswow64\1df9df31C:\Windows\Syswow64\1df9df311⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\1df9df31"2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:228
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD53900c51409a89254ff6c59a366216c97
SHA1aaccc472c504abdd0b65596602c7804ce869246d
SHA256988f9d264c139ef457148e35d2c036144d403fe005c5bf37ef656609ad2c7ee6
SHA51298adf7a82a50fbcd3d2bff375bf75ae594782a2e58c911bb6d0c52115f99a8f21661f4d2bd9a5a7d91b900c6713f7fdf3515fc383a8ee51e00efa184df5fd1f1
-
Filesize
2.8MB
MD53900c51409a89254ff6c59a366216c97
SHA1aaccc472c504abdd0b65596602c7804ce869246d
SHA256988f9d264c139ef457148e35d2c036144d403fe005c5bf37ef656609ad2c7ee6
SHA51298adf7a82a50fbcd3d2bff375bf75ae594782a2e58c911bb6d0c52115f99a8f21661f4d2bd9a5a7d91b900c6713f7fdf3515fc383a8ee51e00efa184df5fd1f1
-
Filesize
62KB
MD530c784340f42db44a84c7958c240e394
SHA1a9611d90310fe54d0f78e7e067b00c9d53c870c3
SHA2564359c82a6760d717ec367bc80b1a70e149bf7e197ea45c1188a4826570b96c50
SHA512f5f7da6505dfde7060ec0fb186915f4390eb1d0a3048effc65df41b9b6201e501be1ad6cb3db8f626451fd3fdfaf5ef9d615200b7d039f79e93ef74e4a359d8e