Overview

overview

10

Static

static

7

ee882c7298...d9.exe

windows7-x64

10

ee882c7298...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2023, 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe

  • Size

    2.0MB

  • MD5

    396936c3276814680b90a5641f158dfa

  • SHA1

    0b88285750160285e27f242ec480a9cf2b40f5b5

  • SHA256

    ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9

  • SHA512

    4e838dc7771f2836f1caf40a2c05cfc874e0fdf4ed384879ca5719c0149b05b99998a90823de1af0e4a292c99a915fea0709557defa9c30f6d26db2bd73b3e21

  • SSDEEP

    12288:SOuW5o/oStscy+4CWKKCrZTGF/k8uMxtxPvvzz5KnL/JLW8Wdvp/8DeBo1irkoEQ:SjSow18JbKkKF/eMNPjgI1rh

Score
10/10
upxvmprotect

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:336
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:632
      • C:\Windows\wiawow64.exe
        "C:\Windows\wiawow64.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\system32\runonce.exe
          "C:\Windows\system32\runonce.exe"
          3⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:2464
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Users\Admin\AppData\Local\Temp\ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe
        "C:\Users\Admin\AppData\Local\Temp\ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3920
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\HHfrGQaAe6GT.sys
      Filesize

      415KB

      MD5

      64bc1983743c584a9ad09dacf12792e5

      SHA1

      0f14098f523d21f11129c4df09451413ddff6d61

      SHA256

      057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

      SHA512

      9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

      Download Submit

    • C:\Windows\KMtQ49ibYTMtTL.sys
      Filesize

      447KB

      MD5

      82e9fa2573b81c7b1c0f6209b4f44b6c

      SHA1

      6126218e677ca1dd9139c9267aa40dcc58936274

      SHA256

      a18c6c4ca31cfc43bb455212b67072a65d27c423d2e2bb6164eac6eda9d750fb

      SHA512

      51761b70f5f93e7f8f4de981d73168cf25b76a816df444d821cdc657e3c87e4e7d5aa9f615f15a8b75e184ff5906930472348c45c3fc10d0f5964442c568d688

      Download Submit

    • C:\Windows\d1Kn8ExOz5.sys
      Filesize

      415KB

      MD5

      7bada704db29ee9510021fa9683914d7

      SHA1

      629a95e8f6e77f352c7e3d673924f81d6fb80094

      SHA256

      7c758ea877cb3b133e2f773e8ec47f0a2d5a2713806059a67e2e2513931a045a

      SHA512

      ed64f744b505e0f0b6823150bab62fb4732d587cfb3ffbf85aff696c398d4c63533d1c54a339e33d1066e1194bee74c316077263fcfac1e229317015802990fb

      Download Submit

    • C:\Windows\vqG38yWNvEY.sys
      Filesize

      447KB

      MD5

      d15f5f23df8036bd5089ce8d151b0e0d

      SHA1

      4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

      SHA256

      f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

      SHA512

      feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

      Download Submit

    • C:\Windows\wiawow64.exe
      Filesize

      38KB

      MD5

      57672b94bf24e8ec8dcd56f28142f60a

      SHA1

      0ed9edf34ae137e3ef5f6a619e1fa12b0eb9d051

      SHA256

      5cbb42d37f3fea5496598a6fe85405047c7e78697e6fa474353cfedcae9883ea

      SHA512

      c038a89ca60d0a95de4c5395f49f07134f63b748f331d02001e0d21ddd8f7454d376e9b0dcbb6166314e5f13bf51880cd540f854fc3c1e755c22c90a0c9dd832

      Download Submit

    • C:\Windows\wiawow64.exe
      Filesize

      38KB

      MD5

      57672b94bf24e8ec8dcd56f28142f60a

      SHA1

      0ed9edf34ae137e3ef5f6a619e1fa12b0eb9d051

      SHA256

      5cbb42d37f3fea5496598a6fe85405047c7e78697e6fa474353cfedcae9883ea

      SHA512

      c038a89ca60d0a95de4c5395f49f07134f63b748f331d02001e0d21ddd8f7454d376e9b0dcbb6166314e5f13bf51880cd540f854fc3c1e755c22c90a0c9dd832

      Download Submit

    • memory/336-328-0x000001B11EEF0000-0x000001B11F012000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/336-330-0x000001B11F030000-0x000001B11F031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/336-331-0x000001B11F040000-0x000001B11F044000-memory.dmp

      Filesize

      16KB

      Download

    • memory/336-337-0x000001B11EEF0000-0x000001B11F012000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/632-58-0x000001A0AA210000-0x000001A0AA211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-17-0x000001A0AA0C0000-0x000001A0AA0C3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/632-19-0x000001A0AA210000-0x000001A0AA211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-20-0x000001A0AA0D0000-0x000001A0AA0F8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/632-59-0x000001A0AA0D0000-0x000001A0AA0F8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2464-69-0x0000025DD2840000-0x0000025DD29E6000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3112-310-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-74-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-1-0x00000000074C0000-0x00000000074C3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3112-336-0x000000000A830000-0x000000000A952000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3112-332-0x000000000A960000-0x000000000A964000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3112-2-0x00000000074C0000-0x00000000074C3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3112-3-0x00000000074C0000-0x00000000074C3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3112-4-0x00000000074E0000-0x00000000074E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-5-0x0000000008AB0000-0x0000000008BA7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3112-327-0x0000000002690000-0x0000000002691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-326-0x0000000002680000-0x0000000002681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-325-0x000000000A830000-0x000000000A952000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3112-323-0x0000000002650000-0x0000000002653000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3112-317-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-53-0x0000000008AB0000-0x0000000008BA7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3952-90-0x000001C26ECB0000-0x000001C26ECB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-60-0x000001C26E790000-0x000001C26E791000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-68-0x000001C26E780000-0x000001C26E781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-72-0x000001C26EE90000-0x000001C26EEBE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3952-75-0x000001C26ECB0000-0x000001C26ECB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3952-71-0x000001C26FFF0000-0x000001C270112000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3952-80-0x000001C26EEC0000-0x000001C26EEC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-82-0x000001C26ECC0000-0x000001C26ED77000-memory.dmp

      Filesize

      732KB

      Download

    • memory/3952-66-0x000001C26FE20000-0x000001C26FFEA000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3952-12-0x000001C26DD70000-0x000001C26DE3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3952-95-0x000001C26FE20000-0x000001C26FFEA000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3952-105-0x000001C26ECB0000-0x000001C26ECB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-114-0x000001C26FFF0000-0x000001C270112000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3952-115-0x000001C26ECB0000-0x000001C26ECB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3952-14-0x000001C26C450000-0x000001C26C451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-13-0x000001C26DD70000-0x000001C26DE3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3952-10-0x000001C26C180000-0x000001C26C183000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3952-55-0x000001C26DD70000-0x000001C26DE3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3952-65-0x000001C26EDC0000-0x000001C26EDCF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3952-318-0x000001C26EEE0000-0x000001C26EEE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-319-0x000001C26E570000-0x000001C26E571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-64-0x000001C26ECB0000-0x000001C26ECB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-62-0x000001C26E790000-0x000001C26E791000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-63-0x000001C26ECC0000-0x000001C26ED77000-memory.dmp

      Filesize

      732KB

      Download

    • memory/3952-61-0x000001C26E570000-0x000001C26E571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-15-0x00007FFF7CBD0000-0x00007FFF7CBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3952-335-0x000001C26E570000-0x000001C26E571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-52-0x00007FFF7CBD0000-0x00007FFF7CBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3952-57-0x000001C26C450000-0x000001C26C451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-56-0x000001C26E780000-0x000001C26E781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4572-27-0x0000000000610000-0x000000000067E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/4572-0-0x0000000000610000-0x000000000067E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/4572-54-0x0000000000610000-0x000000000067E000-memory.dmp

      Filesize

      440KB

      Download