Overview

overview

10

Static

static

3

2da8e90dd0...d7.exe

windows7-x64

10

2da8e90dd0...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2023 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe

  • Size

    625KB

  • MD5

    1397cf8d91b63946171a9133d5e9cec7

  • SHA1

    1a1acbeb404dc06a8a50247480059dbb4e6ea41e

  • SHA256

    2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7

  • SHA512

    ea8bf3b87c6cc7113a85744dfd5fe8bc493c8becb5cde726fa6a5dd78a95fba523b5d55b0110b35ea423a97c7f65f1f3249f18cadb2d7f668e7e928770ee3e93

  • SSDEEP

    6144:YZmsQhU+bZVx5rLKJzu6gLP44ZwcDy/qF6cEOkCybEaQRXr9HNdvOapLj7iq2zr3:8UF30Ngj44ecDyfOkx2LIapLyV

Score
10/10
upxvmprotect

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 9 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\TpmInit.exe
        "C:\Windows\TpmInit.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2744
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
        "C:\Users\Admin\AppData\Local\Temp\2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2936
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab41B4.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabCC65.tmp
      Filesize

      29KB

      MD5

      d59a6b36c5a94916241a3ead50222b6f

      SHA1

      e274e9486d318c383bc4b9812844ba56f0cff3c6

      SHA256

      a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

      SHA512

      17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5DFD.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a1859f44.tmp
      Filesize

      8.7MB

      MD5

      bc04d55a870830510d52e2e36c51fef7

      SHA1

      4158732d50021eb7b6dd0a9f7b2a7e6edac16826

      SHA256

      770d13d793c256d91cb7931bb32fe42934bcfdfc212ff71f665b3cce607b6dd1

      SHA512

      d3a22aef8c68e8296ecd77dc0529cb35131dd3506bc2f0370e52b2895055b6631876aa408e0e01e5924d92ac53494ec8e22cd87ee5f64de6f14ac8148bd01ea9

      Download Submit

    • C:\Windows\BTaMgTczIr3G9f.sys
      Filesize

      165KB

      MD5

      8b0a776615a75b367b7e2a86a4d0bc8f

      SHA1

      2bfa5ca0afdf8c36039553c652eaee2de9e011d2

      SHA256

      affdfa1299ff3219da4847d9c14326a0a42cd8c1c4a128e4b486b1103c2e1586

      SHA512

      4ce2564fc8e21f6b8e97cd481bdc88c8fbe8928001e926bbaca0ada8e2d8b4243049e61f33d100d02e93e49abeeea235e0b1fb61b2f870f991eff1f7eb154c75

      Download Submit

    • C:\Windows\IcB8SXybqA.sys
      Filesize

      165KB

      MD5

      240fe254754a2fe23cfb1dfb7ab292d9

      SHA1

      dd4945ee3955c1bb1e2a54aa13a235b41ffae57a

      SHA256

      466fdedb0a54e3502f3d1a8cac0646729c55f17a808fcfb51c8cb489012fa978

      SHA512

      5a418e34ba794c11203a174e47f1a822b42efd452d3bcf1a6e656f6b970a08f1e4b42d1aab08866f5b08348114343803a8baa47946d725bfdde069757099a739

      Download Submit

    • C:\Windows\PM0KVQGWJ6xh.sys
      Filesize

      165KB

      MD5

      a9147d9136c83671340463124184052c

      SHA1

      e6cb150312bc325ff89030b75ba9c5da9bd24760

      SHA256

      ca5e6188650898e3481ba599a737bb8bf3ad23e2bfffb15a34e55b5fc3e36188

      SHA512

      9aa4f70a8399a9e56ceedf418e77d1cc731a05fa53d25667604f11500211c643486ceb79b6f8ddcda52955d7da0083838d103992ae77770695aba1b7eb2cd009

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      da65b3b3f21c5f70732bbf76cee3bb2f

      SHA1

      85c801b4c22eb021c3269c0d322b8a0fb6bdf0c3

      SHA256

      dc92ff6c6a20f6fe6635a05536809ca21b49727aa2c9a6bc44d6348fc3eb6a44

      SHA512

      64197abd6bcc268dd379ef9b3d30f4e94ae6b5fb595df38a448e5eba85c0ef586a3dd17a72dfe461ee4bd6be70c1a375ee6c99c35a9b686b39ebac1c077b865e

      Download Submit

    • C:\Windows\TpmInit.exe
      Filesize

      112KB

      MD5

      8b5eb38e08a678afa129e23129ca1e6d

      SHA1

      a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

      SHA256

      4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

      SHA512

      a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

      Download Submit

    • C:\Windows\TpmInit.exe
      Filesize

      112KB

      MD5

      8b5eb38e08a678afa129e23129ca1e6d

      SHA1

      a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

      SHA256

      4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

      SHA512

      a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

      Download Submit

    • C:\Windows\TpmInit.exe
      Filesize

      112KB

      MD5

      8b5eb38e08a678afa129e23129ca1e6d

      SHA1

      a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

      SHA256

      4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

      SHA512

      a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

      Download Submit

    • C:\Windows\mnKCgBswYN.sys
      Filesize

      165KB

      MD5

      37532811e219d315d089aa4cc338d212

      SHA1

      145328ba2fa5ef5ac9a5d20fb22f3f52a0f6883e

      SHA256

      3e75c174c47394761319e8d59f0e99141bb00288b58c785854e389a3550957b9

      SHA512

      dbb954d5debd27a1f95036d564d3eae42fe6e4ef43ba93ecc9c34706efbf922c8223de528544fcbee06835d6ac02237f08d914f4021266e9c5f1c8c66f8baea8

      Download Submit

    • memory/420-94-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-40-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1152-612-0x00000000023E0000-0x0000000002503000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1152-598-0x00000000023E0000-0x0000000002503000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1152-601-0x0000000001A20000-0x0000000001A21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-599-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-395-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-83-0x0000000007450000-0x0000000007547000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1204-596-0x0000000002ED0000-0x0000000002ED3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1204-595-0x0000000008E20000-0x0000000008F43000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1204-66-0x0000000007450000-0x0000000007547000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1204-600-0x0000000008F50000-0x0000000008F54000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1204-610-0x0000000008E20000-0x0000000008F43000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1204-449-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-105-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-20-0x0000000007450000-0x0000000007547000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1204-421-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-17-0x0000000002BE0000-0x0000000002BE3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1204-408-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-172-0x0000000002010000-0x0000000002021000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1204-18-0x0000000002BE0000-0x0000000002BE3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1204-19-0x0000000007450000-0x0000000007547000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1204-16-0x0000000002BE0000-0x0000000002BE3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2744-166-0x0000000002010000-0x0000000002011000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-164-0x00000000055F0000-0x00000000057B5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2744-152-0x0000000004060000-0x0000000004183000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2744-103-0x00000000055F0000-0x00000000057B5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2744-101-0x0000000001F60000-0x0000000001F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-100-0x0000000004060000-0x0000000004183000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2744-97-0x0000000001F60000-0x0000000001F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-577-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-591-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-96-0x0000000001F60000-0x0000000001F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-592-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-95-0x0000000001F70000-0x0000000001F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-93-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2744-91-0x0000000037650000-0x0000000037660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-84-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2744-37-0x000007FEBF5A0000-0x000007FEBF5B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-36-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2744-34-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2744-608-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-609-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-30-0x0000000000110000-0x0000000000113000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2744-611-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-24-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-23-0x00000000001A0000-0x0000000000263000-memory.dmp

      Filesize

      780KB

      Download