bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
22/11/2023, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW INQ vGT410267234500633.exe
Size

384KB
MD5

d94b223af3fd6bedbc1552ffc63b85cd
SHA1

d7524fd3525faa6af6d4c329167c322062fb77b6
SHA256

bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
SHA512

e91ef8c196f5fae0c5f097175c67c2a7a7988d384ee3bba0468deb4c22c6c3292b4b138cd382430922d80d95daed227057870364fdf0ba5ec413dd61c0162955
SSDEEP

12288:RKt9zvWPOpk/oxQD9inI3PnmLws4475zzgBQvamwvq:oLzpxQD9iIPn38zzwi

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Control Panel\International\Geo\Nation	ppxsvdjxm.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	ppxsvdjxm.exe
2552	ppxsvdjxm.exe

Loads dropped DLL 4 IoCs

pid	Process
2432	NEW INQ vGT410267234500633.exe
2432	NEW INQ vGT410267234500633.exe
2152	ppxsvdjxm.exe
2896	mstsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\uqavfoktdyidm = "C:\\Users\\Admin\\AppData\\Roaming\\qvfbkgpyuen\\irnwgcl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ppxsvdjxm.exe\" "	ppxsvdjxm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2552	2152	ppxsvdjxm.exe	29
PID 2552 set thread context of 1192	2552	ppxsvdjxm.exe	10
PID 2552 set thread context of 2896	2552	ppxsvdjxm.exe	33
PID 2896 set thread context of 1192	2896	mstsc.exe	10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2152	ppxsvdjxm.exe
2552	ppxsvdjxm.exe
1192	Explorer.EXE
1192	Explorer.EXE
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe
2896	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	ppxsvdjxm.exe
Token: SeDebugPrivilege	2896	mstsc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2432 wrote to memory of 2152	2432	NEW INQ vGT410267234500633.exe	28
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 2152 wrote to memory of 2552	2152	ppxsvdjxm.exe	29
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 1192 wrote to memory of 2896	1192	Explorer.EXE	33
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35
PID 2896 wrote to memory of 1480	2896	mstsc.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
    "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
      "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqndp.yn

Filesize
250KB

MD5
daf88cc0b867ad283c8de71074574e3d

SHA1
3f70e96bd3daa0e0dd2db29c14cc3dd7ea8239e9

SHA256
9ce0418bda184b005a58c40a535740cb0b4a5bd946f4fd913512109915831e08

SHA512
76f62207afc5268c6e43317f412409322449febaf1ea9765153b95e394d2494b935eaf3b46b6f8149ef49d3b199ecad5043b208e6975a4150d1b84722a8f938b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpaxc.zip

Filesize
478KB

MD5
72b88067a5a1a4f8d52c45e6621d13fe

SHA1
f84542474b8583f4371749282e5cc4d52661c222

SHA256
70a11669bb8ad1099fd7fba9da92e1a75124bef0d16a01fd10dcdc45e9582092

SHA512
a8bf75fd4f38e4c8dee5e6f2527062c5be21f5a8bae4ea561f4aa28139d65a6f215afb212f1e4857ee482e16e813fc0d63ef8ec43ec94d5f8a722489e89e154d

Download Submit
\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/1192-35-0x00000000089C0000-0x000000000ABB7000-memory.dmp

Filesize
34.0MB

Download
memory/1192-79-0x0000000006A20000-0x0000000006B22000-memory.dmp

Filesize
1.0MB

Download
memory/1192-24-0x00000000089C0000-0x000000000ABB7000-memory.dmp

Filesize
34.0MB

Download
memory/1192-34-0x0000000006A20000-0x0000000006B22000-memory.dmp

Filesize
1.0MB

Download
memory/1192-21-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1192-33-0x0000000006A20000-0x0000000006B22000-memory.dmp

Filesize
1.0MB

Download
memory/2152-9-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2552-23-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2552-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-29-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2552-17-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/2552-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-32-0x00000000009B0000-0x0000000000A52000-memory.dmp

Filesize
648KB

Download
memory/2896-30-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/2896-36-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2896-31-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2896-25-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2896-77-0x0000000061E00000-0x0000000061ECF000-memory.dmp

Filesize
828KB

Download
memory/2896-78-0x00000000009B0000-0x0000000000A52000-memory.dmp

Filesize
648KB

Download
memory/2896-26-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download