Analysis

  • max time kernel
    118s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2023 03:15

General

  • Target

    Rootkits/757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe

  • Size

    9.5MB

  • MD5

    d76e73e0235f77c9bf5578eb51a9bf9a

  • SHA1

    23f26097829f9591164c509831b627964ffdecf9

  • SHA256

    757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8

  • SHA512

    a41f9f136fec5842aeeb3ad87ad6874a708c374bb6680ce7a5cbd4539e262e9096825c8246b0cc5c280358e2f51c5ed5fa67050b33b67bb3e2349db3fae6db18

  • SSDEEP

    196608:xOw0fyB+aXfyBb861vQowxMwCYRE3xSnZtAJzwCiHjx40TJnBGy4n6C:x+aX6eFo+ZJEBSnbASBHjx40TlE6C

Score
7/10

Malware Config

Signatures

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
    "C:\Users\Admin\AppData\Local\Temp\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
      2⤵
        PID:2916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2952-0-0x0000000000400000-0x000000000151E000-memory.dmp

      Filesize

      17.1MB

    • memory/2952-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/2952-4-0x0000000000400000-0x000000000151E000-memory.dmp

      Filesize

      17.1MB

    • memory/2952-5-0x0000000000400000-0x000000000151E000-memory.dmp

      Filesize

      17.1MB

    • memory/2952-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB