Overview

overview

10

Static

static

7

31e5131706...0d.exe

windows7-x64

10

31e5131706...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2023, 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31e51317061c1205e8454bbcfc77ed1fd6e3ee28b68f1cf2de0160ec13000f0d.exe

  • Size

    3.8MB

  • MD5

    f0001b375b08069370b92614c6db7edb

  • SHA1

    e97a7f0cef9a20269b1df3dd57c6d09e7a775ccb

  • SHA256

    31e51317061c1205e8454bbcfc77ed1fd6e3ee28b68f1cf2de0160ec13000f0d

  • SHA512

    81fc198337c1a582b063032f9434690b94a02a56c1aea18783e4adfc4528820310ec8616670d9f947d8b60b0a4e7959f801e7b275aacfa48c6c87bfb289a1aaa

  • SSDEEP

    24576:pjSow1qeSJbKkKF/eMNPjyXtaSJZWh/ZWuPaG8j3acWSmrW3aDW9ZwJCcf1cg8UK:pjSto9KFeMRHp6

Score
10/10
upxvmprotect

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 9 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\Fonts\spreview.exe
        "C:\Windows\Fonts\spreview.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\system32\tcmsetup.exe
          "C:\Windows\system32\tcmsetup.exe"
          3⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1992
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\31e51317061c1205e8454bbcfc77ed1fd6e3ee28b68f1cf2de0160ec13000f0d.exe
        "C:\Users\Admin\AppData\Local\Temp\31e51317061c1205e8454bbcfc77ed1fd6e3ee28b68f1cf2de0160ec13000f0d.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\31e51317061c1205e8454bbcfc77ed1fd6e3ee28b68f1cf2de0160ec13000f0d.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:1676
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab3DCD.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabEA90.tmp
      Filesize

      29KB

      MD5

      d59a6b36c5a94916241a3ead50222b6f

      SHA1

      e274e9486d318c383bc4b9812844ba56f0cff3c6

      SHA256

      a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

      SHA512

      17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8A3B.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarEAB2.tmp
      Filesize

      81KB

      MD5

      b13f51572f55a2d31ed9f266d581e9ea

      SHA1

      7eef3111b878e159e520f34410ad87adecf0ca92

      SHA256

      725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

      SHA512

      f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

      Download Submit

    • C:\Windows\4NGcB0eBiP0O.sys
      Filesize

      447KB

      MD5

      d6ea2832720a5ccd719a818ec387fe72

      SHA1

      db59f5defefb02f30d1eec8bfe86c6463b90bc18

      SHA256

      42fed42eece811cb0b174f67aa1bd36b4df45cc1ac6e2c3824e371c03afa4a12

      SHA512

      bdff3c003e210aa694ab8391536113d765f7cfa28b76c81ba82c2f60001c78363ef71176733880e2186585345edce5149542a1d45b1ec00441e1e12a3055ddf6

      Download Submit

    • C:\Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • C:\Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • C:\Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      df1393b32e4144ed8ca0b4edf3bbe493

      SHA1

      a3abf8371e36a33efd15cec29f36cd5d071bdfb3

      SHA256

      e73c9bf214c4e385c650a0e5d4a402a33c5badc0ee38bd5812228f04789ba195

      SHA512

      beef868b8f66602d85120285ef2e98733fd6b403ecae7e122ef03cf1de205739387d7c71292701b38408719fb678bac368eeecb5b0f775a9983fca98240fce74

      Download Submit

    • C:\Windows\hncHRKIrneRdF.sys
      Filesize

      447KB

      MD5

      d15f5f23df8036bd5089ce8d151b0e0d

      SHA1

      4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

      SHA256

      f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

      SHA512

      feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

      Download Submit

    • C:\Windows\u49sgF4uB3.sys
      Filesize

      415KB

      MD5

      33791901884bf388aeefaadd0f5ca500

      SHA1

      67ffc1b09a81b685c0a683bb7206f5b2ce9a354b

      SHA256

      944616cdbcd7d8f52f20e64941e5e77ae4eb2f1895725593d24ca478fb71534c

      SHA512

      9dbe410686cea950d82b1429fea26179896d5183478347e44ac9b53739659b214445a26e588beecd2daeb88fb5fe5609ce543a9f06ddc1023a2eebfa30a5d2c5

      Download Submit

    • C:\Windows\wQnbr5kIVk1Kt.sys
      Filesize

      415KB

      MD5

      64bc1983743c584a9ad09dacf12792e5

      SHA1

      0f14098f523d21f11129c4df09451413ddff6d61

      SHA256

      057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

      SHA512

      9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • \Windows\Fonts\spreview.exe
      Filesize

      294KB

      MD5

      704cd4cac010e8e6d8de9b778ed17773

      SHA1

      81856abf70640f102b8b3defe2cf65669fe8e165

      SHA256

      4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

      SHA512

      b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

      Download Submit

    • memory/420-44-0x0000000000240000-0x0000000000243000-memory.dmp

      Filesize

      12KB

      Download

    • memory/420-46-0x0000000000810000-0x0000000000838000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-98-0x0000000000810000-0x0000000000838000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1212-746-0x0000000002560000-0x0000000002682000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1212-747-0x0000000000200000-0x0000000000201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1212-797-0x0000000002560000-0x0000000002682000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1236-740-0x0000000008C90000-0x0000000008DB2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1236-48-0x0000000006FB0000-0x00000000070A7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1236-17-0x00000000029D0000-0x00000000029D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1236-796-0x0000000008C90000-0x0000000008DB2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1236-18-0x00000000029D0000-0x00000000029D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1236-21-0x0000000006FB0000-0x00000000070A7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1236-19-0x00000000029D0000-0x00000000029D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1236-754-0x0000000008DC0000-0x0000000008DC4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1236-743-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-121-0x00000000029E0000-0x00000000029E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-742-0x00000000001F0000-0x00000000001F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-739-0x0000000002BA0000-0x0000000002BA3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1236-160-0x00000000029E0000-0x00000000029E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1992-203-0x0000000001EF0000-0x0000000002096000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1992-111-0x0000000000240000-0x00000000003DC000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1992-136-0x0000000001EF0000-0x0000000002096000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2144-88-0x0000000000100000-0x000000000016E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2144-20-0x0000000000100000-0x000000000016E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2144-0-0x0000000000100000-0x000000000016E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2144-49-0x0000000000100000-0x000000000016E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2952-56-0x0000000001D80000-0x0000000001E4B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2952-39-0x0000000001D80000-0x0000000001E4B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2952-520-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-104-0x0000000001F80000-0x0000000001FAE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2952-626-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-723-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-726-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-103-0x0000000001F80000-0x0000000001FAE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2952-99-0x0000000037250000-0x0000000037260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2952-101-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-102-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-744-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-41-0x000007FEBE5B0000-0x000007FEBE5C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2952-173-0x00000000059B0000-0x0000000005AD2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2952-113-0x0000000005E30000-0x0000000005FFA000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2952-37-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2952-33-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2952-27-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-25-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2952-109-0x00000000059B0000-0x0000000005AD2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2952-110-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-181-0x0000000005E30000-0x0000000005FFA000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2952-107-0x0000000001FB0000-0x0000000001FBF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2952-795-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-105-0x0000000002AB0000-0x0000000002B67000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2952-106-0x0000000002AB0000-0x0000000002B67000-memory.dmp

      Filesize

      732KB

      Download