0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
Size

442KB
MD5

373c6219efb1bc65fd477fa1645ca12c
SHA1

aef11fedbb51cb4994c92c83e7bbe7d099fd2f6a
SHA256

0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726
SHA512

cf2f50e84b1f49e032d23027b2b4843bbc592843ef83a2bb0c376e5892d75a24ec8089d1f61a5458bd1ba0cf2782b6ac4557a427cd13e76e7c481b1a973c7346
SSDEEP

6144:OZmsQhU+bZVx5rLKJzu6gLP44Zw4DydqFncEOkCybEaQRXr9HNdvOaXqL:qUF30Ngj44e4DyyOkx2LIaXqL

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3344 created 596	3344	Explorer.EXE	5

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\IYYYXpda.sys	rasdial.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe

Executes dropped EXE 1 IoCs

pid	Process
3304	rasdial.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3092-0-0x00000000002C0000-0x0000000000331000-memory.dmp	upx
behavioral2/memory/3092-46-0x00000000002C0000-0x0000000000331000-memory.dmp	upx
behavioral2/memory/3092-51-0x00000000002C0000-0x0000000000331000-memory.dmp	upx
behavioral2/files/0x0007000000022e2f-80.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	rasdial.exe
File created	C:\Windows\system32\ \Windows\System32\Lqzij5.sys	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	rasdial.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	rasdial.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\b0abRy.sys	rasdial.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	rasdial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rasdial.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rasdial.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4240	timeout.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rasdial.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rasdial.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rasdial.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rasdial.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rasdial.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rasdial.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rasdial.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rasdial.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rasdial.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe
3304	rasdial.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3344	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
Token: SeTcbPrivilege	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
Token: SeDebugPrivilege	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
Token: SeDebugPrivilege	3344	Explorer.EXE
Token: SeDebugPrivilege	3344	Explorer.EXE
Token: SeDebugPrivilege	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
Token: SeDebugPrivilege	3304	rasdial.exe
Token: SeDebugPrivilege	3304	rasdial.exe
Token: SeDebugPrivilege	3304	rasdial.exe
Token: SeIncBasePriorityPrivilege	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeDebugPrivilege	3304	rasdial.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3344	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3344	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	56
PID 3092 wrote to memory of 3344	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	56
PID 3092 wrote to memory of 3344	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	56
PID 3092 wrote to memory of 3344	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	56
PID 3092 wrote to memory of 3344	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	56
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3344 wrote to memory of 3304	3344	Explorer.EXE	89
PID 3092 wrote to memory of 596	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	5
PID 3092 wrote to memory of 596	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	5
PID 3092 wrote to memory of 596	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	5
PID 3092 wrote to memory of 596	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	5
PID 3092 wrote to memory of 596	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	5
PID 3092 wrote to memory of 1312	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	96
PID 3092 wrote to memory of 1312	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	96
PID 3092 wrote to memory of 1312	3092	0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe	96
PID 1312 wrote to memory of 4240	1312	cmd.exe	98
PID 1312 wrote to memory of 4240	1312	cmd.exe	98
PID 1312 wrote to memory of 4240	1312	cmd.exe	98

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\rasdial.exe
  "C:\rasdial.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
  "C:\Users\Admin\AppData\Local\Temp\0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\834b3e0a.tmp

Filesize
14.1MB

MD5
e3148fefbf17dbb79605c1002bf7d5af

SHA1
79784b400961846cd7e24e48f91357390cceb033

SHA256
a139d17b9100fbdf0de7e0203be2aeb1516f0eaafa557861ca321832d2f39f0a

SHA512
4caaf5a17ab7b61ea457985eb5366c96f6480d63c6d1ef5cf10fd5c3f26571bd8335b07293b5f3f1974fe7b380f6677247ea06095889903fda3dd9494ce0c396

Download Submit
C:\rasdial.exe

Filesize
20KB

MD5
63e72a854c787371cb26590269c1e93e

SHA1
d3f856ee0d592295456e1a6756e3e7962b2f16bb

SHA256
a5d1f1c9a53f285d027cd1d57326fb323c4b90fbfef9b9806a46328a09b7bf08

SHA512
015d18fa787ef949fa1b3fad7a81b0438a24735c304177a70f0a3701db74058a18897d03888ea6e55bf4c2d218e2e5c62ecdeb8e32846fe5994ea62250b65cc0

Download Submit
C:\rasdial.exe

Filesize
20KB

MD5
63e72a854c787371cb26590269c1e93e

SHA1
d3f856ee0d592295456e1a6756e3e7962b2f16bb

SHA256
a5d1f1c9a53f285d027cd1d57326fb323c4b90fbfef9b9806a46328a09b7bf08

SHA512
015d18fa787ef949fa1b3fad7a81b0438a24735c304177a70f0a3701db74058a18897d03888ea6e55bf4c2d218e2e5c62ecdeb8e32846fe5994ea62250b65cc0

Download Submit
memory/596-17-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3092-0-0x00000000002C0000-0x0000000000331000-memory.dmp

Filesize
452KB

Download
memory/3092-51-0x00000000002C0000-0x0000000000331000-memory.dmp

Filesize
452KB

Download
memory/3092-46-0x00000000002C0000-0x0000000000331000-memory.dmp

Filesize
452KB

Download
memory/3304-57-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-61-0x000002720D4F0000-0x000002720D6B5000-memory.dmp

Filesize
1.8MB

Download
memory/3304-12-0x00007FF8ACDB0000-0x00007FF8ACDC0000-memory.dmp

Filesize
64KB

Download
memory/3304-13-0x000002720A9A0000-0x000002720AA6B000-memory.dmp

Filesize
812KB

Download
memory/3304-45-0x00007FF8ACDB0000-0x00007FF8ACDC0000-memory.dmp

Filesize
64KB

Download
memory/3304-11-0x000002720A9A0000-0x000002720AA6B000-memory.dmp

Filesize
812KB

Download
memory/3304-47-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-9-0x000002720A6E0000-0x000002720A6E3000-memory.dmp

Filesize
12KB

Download
memory/3304-83-0x000002720D4F0000-0x000002720D6B5000-memory.dmp

Filesize
1.8MB

Download
memory/3304-54-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-53-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-55-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-56-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-74-0x000002720D4F0000-0x000002720D6B5000-memory.dmp

Filesize
1.8MB

Download
memory/3304-58-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-59-0x000002720A9A0000-0x000002720AA6B000-memory.dmp

Filesize
812KB

Download
memory/3304-60-0x000002720C570000-0x000002720C5B5000-memory.dmp

Filesize
276KB

Download
memory/3304-14-0x000002720A9A0000-0x000002720AA6B000-memory.dmp

Filesize
812KB

Download
memory/3304-62-0x000002720C430000-0x000002720C432000-memory.dmp

Filesize
8KB

Download
memory/3304-63-0x000002720C430000-0x000002720C432000-memory.dmp

Filesize
8KB

Download
memory/3304-64-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-65-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-66-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-67-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-68-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-70-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-71-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-69-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-72-0x000001FE30B70000-0x000001FE30B98000-memory.dmp

Filesize
160KB

Download
memory/3304-73-0x000002720C570000-0x000002720C5B5000-memory.dmp

Filesize
276KB

Download
memory/3344-4-0x0000000008D90000-0x0000000008E89000-memory.dmp

Filesize
996KB

Download
memory/3344-2-0x00000000085D0000-0x00000000085D3000-memory.dmp

Filesize
12KB

Download
memory/3344-1-0x00000000085D0000-0x00000000085D3000-memory.dmp

Filesize
12KB

Download
memory/3344-52-0x0000000008D90000-0x0000000008E89000-memory.dmp

Filesize
996KB

Download