bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW INQ vGT410267234500633.exe
Size

384KB
MD5

d94b223af3fd6bedbc1552ffc63b85cd
SHA1

d7524fd3525faa6af6d4c329167c322062fb77b6
SHA256

bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
SHA512

e91ef8c196f5fae0c5f097175c67c2a7a7988d384ee3bba0468deb4c22c6c3292b4b138cd382430922d80d95daed227057870364fdf0ba5ec413dd61c0162955
SSDEEP

12288:RKt9zvWPOpk/oxQD9inI3PnmLws4475zzgBQvamwvq:oLzpxQD9iIPn38zzwi

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	ppxsvdjxm.exe

Executes dropped EXE 2 IoCs

pid	Process
4476	ppxsvdjxm.exe
5008	ppxsvdjxm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uqavfoktdyidm = "C:\\Users\\Admin\\AppData\\Roaming\\qvfbkgpyuen\\irnwgcl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ppxsvdjxm.exe\" "	ppxsvdjxm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4476 set thread context of 5008	4476	ppxsvdjxm.exe	87
PID 5008 set thread context of 3260	5008	ppxsvdjxm.exe	49
PID 5008 set thread context of 3720	5008	ppxsvdjxm.exe	105
PID 3720 set thread context of 3260	3720	systray.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3260	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4476	ppxsvdjxm.exe
5008	ppxsvdjxm.exe
3260	Explorer.EXE
3260	Explorer.EXE
3720	systray.exe
3720	systray.exe
3720	systray.exe
3720	systray.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	ppxsvdjxm.exe
Token: SeDebugPrivilege	3720	systray.exe
Token: SeManageVolumePrivilege	2804	svchost.exe
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE
Token: SeShutdownPrivilege	3260	Explorer.EXE
Token: SeCreatePagefilePrivilege	3260	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3260	Explorer.EXE
3260	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3260	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4476	4408	NEW INQ vGT410267234500633.exe	86
PID 4408 wrote to memory of 4476	4408	NEW INQ vGT410267234500633.exe	86
PID 4408 wrote to memory of 4476	4408	NEW INQ vGT410267234500633.exe	86
PID 4476 wrote to memory of 5008	4476	ppxsvdjxm.exe	87
PID 4476 wrote to memory of 5008	4476	ppxsvdjxm.exe	87
PID 4476 wrote to memory of 5008	4476	ppxsvdjxm.exe	87
PID 4476 wrote to memory of 5008	4476	ppxsvdjxm.exe	87
PID 3260 wrote to memory of 3720	3260	Explorer.EXE	105
PID 3260 wrote to memory of 3720	3260	Explorer.EXE	105
PID 3260 wrote to memory of 3720	3260	Explorer.EXE	105
PID 3720 wrote to memory of 3792	3720	systray.exe	110
PID 3720 wrote to memory of 3792	3720	systray.exe	110
PID 3720 wrote to memory of 3792	3720	systray.exe	110

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW INQ vGT410267234500633.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
    "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe
      "C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5008
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3792

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
5afc3747b77d7074fdeafabde1ca0ccd

SHA1
4311293074072210f208513610b87c3142493957

SHA256
15a88544897390c5f22288a9c51ef0044b5a879b276575b1eb696276d91858ea

SHA512
4b168504c51b4a7dcd36a2862aea625f3c52a6b1640771b8d63dfc91698d9b05796b10d2f7558ee5a7b15ad47b5bb1b07d2103ad689ae5ebf57153a7e2818667

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppxsvdjxm.exe

Filesize
200KB

MD5
e2b11a71264882a61a309c24903c5696

SHA1
5341f71ee94eb7e32f0fb588a5fe95ebbf06e772

SHA256
b77970e17899b7bd5266444aa666e3d7f39da83878bf09cb6dcd111e9eb5dec5

SHA512
bfe3ff2120531edf0b61d436717c1644da5d4f68ba0470977c7c87f6565d683686e55c183a411c7abbddc8547a45db8bd6372fe52bc33fe7a914548b20b6b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqndp.yn

Filesize
250KB

MD5
daf88cc0b867ad283c8de71074574e3d

SHA1
3f70e96bd3daa0e0dd2db29c14cc3dd7ea8239e9

SHA256
9ce0418bda184b005a58c40a535740cb0b4a5bd946f4fd913512109915831e08

SHA512
76f62207afc5268c6e43317f412409322449febaf1ea9765153b95e394d2494b935eaf3b46b6f8149ef49d3b199ecad5043b208e6975a4150d1b84722a8f938b

Download Submit
memory/2804-79-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-77-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-83-0x000002241EC20000-0x000002241EC21000-memory.dmp

Filesize
4KB

Download
memory/2804-81-0x000002241EC10000-0x000002241EC11000-memory.dmp

Filesize
4KB

Download
memory/2804-105-0x000002241EE70000-0x000002241EE71000-memory.dmp

Filesize
4KB

Download
memory/2804-104-0x000002241ED60000-0x000002241ED61000-memory.dmp

Filesize
4KB

Download
memory/2804-103-0x000002241ED60000-0x000002241ED61000-memory.dmp

Filesize
4KB

Download
memory/2804-80-0x000002241EC20000-0x000002241EC21000-memory.dmp

Filesize
4KB

Download
memory/2804-89-0x000002241EB50000-0x000002241EB51000-memory.dmp

Filesize
4KB

Download
memory/2804-78-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-101-0x000002241ED50000-0x000002241ED51000-memory.dmp

Filesize
4KB

Download
memory/2804-69-0x000002241EFD0000-0x000002241EFD1000-memory.dmp

Filesize
4KB

Download
memory/2804-76-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-75-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-74-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-73-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-72-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-86-0x000002241EC10000-0x000002241EC11000-memory.dmp

Filesize
4KB

Download
memory/2804-71-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-37-0x0000022416940000-0x0000022416950000-memory.dmp

Filesize
64KB

Download
memory/2804-70-0x000002241EFF0000-0x000002241EFF1000-memory.dmp

Filesize
4KB

Download
memory/2804-53-0x0000022416A40000-0x0000022416A50000-memory.dmp

Filesize
64KB

Download
memory/3260-29-0x000000000C770000-0x000000000F86B000-memory.dmp

Filesize
49.0MB

Download
memory/3260-28-0x00000000081A0000-0x00000000082A2000-memory.dmp

Filesize
1.0MB

Download
memory/3260-27-0x00000000081A0000-0x00000000082A2000-memory.dmp

Filesize
1.0MB

Download
memory/3260-18-0x000000000C770000-0x000000000F86B000-memory.dmp

Filesize
49.0MB

Download
memory/3260-107-0x00000000081A0000-0x00000000082A2000-memory.dmp

Filesize
1.0MB

Download
memory/3720-30-0x0000000000540000-0x0000000000576000-memory.dmp

Filesize
216KB

Download
memory/3720-26-0x0000000002490000-0x0000000002532000-memory.dmp

Filesize
648KB

Download
memory/3720-25-0x0000000000540000-0x0000000000576000-memory.dmp

Filesize
216KB

Download
memory/3720-24-0x00000000025B0000-0x00000000028FA000-memory.dmp

Filesize
3.3MB

Download
memory/3720-20-0x0000000000540000-0x0000000000576000-memory.dmp

Filesize
216KB

Download
memory/3720-19-0x0000000000540000-0x0000000000576000-memory.dmp

Filesize
216KB

Download
memory/3720-106-0x0000000002490000-0x0000000002532000-memory.dmp

Filesize
648KB

Download
memory/4476-5-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/5008-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-23-0x0000000004130000-0x0000000004153000-memory.dmp

Filesize
140KB

Download
memory/5008-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-17-0x0000000004130000-0x0000000004153000-memory.dmp

Filesize
140KB

Download
memory/5008-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-11-0x00000000009F0000-0x0000000000D3A000-memory.dmp

Filesize
3.3MB

Download