Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2023, 23:23

General

  • Target

    4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe

  • Size

    223KB

  • MD5

    4cdae24b3e1563366f3bdb53f7f94af2

  • SHA1

    34c37775f537a1a871a532883f3d9a32ce153cd3

  • SHA256

    4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c

  • SHA512

    f5652a55abcfd37fd4cdf4a17dd0580ef1a2a5015ba177ac64bf067a916d13a9f7b3f6d2b9c2097e1609be6f835ca7844ef0fd9e7a799e56c7fc247549e0f30d

  • SSDEEP

    3072:2Z7wXfSRZ0ON/EwW66wN94xu4CkAZJM2k5D66L+NfGbVON2Nqi/6gS5UoWXHz72n:CwPSUONLNsuWA7koN+boRi9S6oiz72D

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:60
      • C:\Windows\sdchange.exe
        "C:\Windows\sdchange.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\system32\wbadmin.exe
          "C:\Windows\system32\wbadmin.exe"
          3⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:3580
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe
        "C:\Users\Admin\AppData\Local\Temp\4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:376
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:4708

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\7fdprvKyY3o.sys

            Filesize

            415KB

            MD5

            b35f50c1fdabf0633e08120d60f58310

            SHA1

            e75428f11aa36e3cb3dd8ded2c1d4a96cce003a5

            SHA256

            2fcab54eda2766741f452476f55052f58598f9a8aa5156e45232c9c0111fa233

            SHA512

            17e3963353aac24f61f6b8bb13b5edb269a000c4e55311466678d99e274a29fb95c361a7f4691cd7e99d38d5660ea29ef59c7d34da1606390e9dc3e9ecc5098f

          • C:\Windows\XnEokxfDcXH.sys

            Filesize

            447KB

            MD5

            db5d4252dbfe3c6a8ed839012a0501fa

            SHA1

            b502e4690bf2c88f991c543b7050839c6db8fe8d

            SHA256

            8ce672b0220d07da7cd3997164b53b63a48a8b977956849ee15bd4f597a618df

            SHA512

            b8169e775c280244defc7e052a036262f1436380bf423a6d8fec14f63971e0fc422ea846e0e2b5d4a4631d011f82b76db59d56f9802152b7931006c9cd2c9005

          • C:\Windows\n3SZnMg44H4k.sys

            Filesize

            415KB

            MD5

            64bc1983743c584a9ad09dacf12792e5

            SHA1

            0f14098f523d21f11129c4df09451413ddff6d61

            SHA256

            057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

            SHA512

            9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

          • C:\Windows\sdchange.exe

            Filesize

            50KB

            MD5

            26ff03d565d4d68bf80602a8d21f46ee

            SHA1

            8b2e151fe31eb875aedffb6dda5d1cf761ba3631

            SHA256

            4113eea6d5998515b9a460c4de0be96bb00de07a36f87cd7215d29932ed02ed7

            SHA512

            083dbf9996fa36418cf6dcafb4915b25595c7cfc831e46241f10a78dee8555c5a2c8709747ebc8be95d9d10a7816a827011547975617d9cc06e84fd55c9398bf

          • C:\Windows\sdchange.exe

            Filesize

            50KB

            MD5

            26ff03d565d4d68bf80602a8d21f46ee

            SHA1

            8b2e151fe31eb875aedffb6dda5d1cf761ba3631

            SHA256

            4113eea6d5998515b9a460c4de0be96bb00de07a36f87cd7215d29932ed02ed7

            SHA512

            083dbf9996fa36418cf6dcafb4915b25595c7cfc831e46241f10a78dee8555c5a2c8709747ebc8be95d9d10a7816a827011547975617d9cc06e84fd55c9398bf

          • C:\Windows\zvBJe5E3An6.sys

            Filesize

            447KB

            MD5

            d15f5f23df8036bd5089ce8d151b0e0d

            SHA1

            4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

            SHA256

            f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

            SHA512

            feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

          • memory/60-318-0x000001A940060000-0x000001A940061000-memory.dmp

            Filesize

            4KB

          • memory/60-317-0x000001A93FF20000-0x000001A940042000-memory.dmp

            Filesize

            1.1MB

          • memory/60-320-0x000001A940070000-0x000001A940074000-memory.dmp

            Filesize

            16KB

          • memory/60-327-0x000001A93FF20000-0x000001A940042000-memory.dmp

            Filesize

            1.1MB

          • memory/376-42-0x00000000005E0000-0x000000000064E000-memory.dmp

            Filesize

            440KB

          • memory/376-0-0x00000000005E0000-0x000000000064E000-memory.dmp

            Filesize

            440KB

          • memory/620-57-0x0000020CC1D90000-0x0000020CC1D91000-memory.dmp

            Filesize

            4KB

          • memory/620-17-0x0000020CC1D50000-0x0000020CC1D78000-memory.dmp

            Filesize

            160KB

          • memory/2500-68-0x0000028D32D20000-0x0000028D32E42000-memory.dmp

            Filesize

            1.1MB

          • memory/2500-151-0x0000028D32D20000-0x0000028D32E42000-memory.dmp

            Filesize

            1.1MB

          • memory/2500-325-0x0000028D329E0000-0x0000028D329E1000-memory.dmp

            Filesize

            4KB

          • memory/2500-54-0x0000028D31180000-0x0000028D31181000-memory.dmp

            Filesize

            4KB

          • memory/2500-55-0x0000028D30860000-0x0000028D3092B000-memory.dmp

            Filesize

            812KB

          • memory/2500-56-0x0000028D2F0A0000-0x0000028D2F0A1000-memory.dmp

            Filesize

            4KB

          • memory/2500-51-0x0000028D31170000-0x0000028D31171000-memory.dmp

            Filesize

            4KB

          • memory/2500-58-0x0000028D31180000-0x0000028D3118F000-memory.dmp

            Filesize

            60KB

          • memory/2500-59-0x0000028D311D0000-0x0000028D311FE000-memory.dmp

            Filesize

            184KB

          • memory/2500-60-0x0000028D31850000-0x0000028D31907000-memory.dmp

            Filesize

            732KB

          • memory/2500-62-0x0000028D30F60000-0x0000028D30F61000-memory.dmp

            Filesize

            4KB

          • memory/2500-61-0x0000028D31170000-0x0000028D31171000-memory.dmp

            Filesize

            4KB

          • memory/2500-63-0x0000028D32A00000-0x0000028D32BCA000-memory.dmp

            Filesize

            1.8MB

          • memory/2500-64-0x0000028D31180000-0x0000028D31181000-memory.dmp

            Filesize

            4KB

          • memory/2500-324-0x0000028D31330000-0x0000028D31331000-memory.dmp

            Filesize

            4KB

          • memory/2500-50-0x0000028D30F60000-0x0000028D30F61000-memory.dmp

            Filesize

            4KB

          • memory/2500-13-0x0000028D30860000-0x0000028D3092B000-memory.dmp

            Filesize

            812KB

          • memory/2500-69-0x0000028D31170000-0x0000028D31171000-memory.dmp

            Filesize

            4KB

          • memory/2500-85-0x0000028D32A00000-0x0000028D32BCA000-memory.dmp

            Filesize

            1.8MB

          • memory/2500-49-0x00007FFB21FF0000-0x00007FFB22000000-memory.dmp

            Filesize

            64KB

          • memory/2500-12-0x00007FFB21FF0000-0x00007FFB22000000-memory.dmp

            Filesize

            64KB

          • memory/2500-52-0x0000028D31170000-0x0000028D31171000-memory.dmp

            Filesize

            4KB

          • memory/2500-11-0x0000028D30860000-0x0000028D3092B000-memory.dmp

            Filesize

            812KB

          • memory/2500-14-0x0000028D2F0A0000-0x0000028D2F0A1000-memory.dmp

            Filesize

            4KB

          • memory/3380-4-0x0000000007DF0000-0x0000000007EE7000-memory.dmp

            Filesize

            988KB

          • memory/3380-319-0x0000000002670000-0x0000000002671000-memory.dmp

            Filesize

            4KB

          • memory/3380-120-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

          • memory/3380-310-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

          • memory/3380-313-0x0000000002620000-0x0000000002623000-memory.dmp

            Filesize

            12KB

          • memory/3380-316-0x0000000002660000-0x0000000002661000-memory.dmp

            Filesize

            4KB

          • memory/3380-71-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

          • memory/3380-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

            Filesize

            4KB

          • memory/3380-211-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

          • memory/3380-174-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

          • memory/3380-2-0x00000000023A0000-0x00000000023A3000-memory.dmp

            Filesize

            12KB

          • memory/3380-322-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

          • memory/3380-323-0x000000000A3B0000-0x000000000A4D2000-memory.dmp

            Filesize

            1.1MB

          • memory/3380-328-0x000000000A3B0000-0x000000000A4D2000-memory.dmp

            Filesize

            1.1MB

          • memory/3380-53-0x0000000007DF0000-0x0000000007EE7000-memory.dmp

            Filesize

            988KB

          • memory/3380-326-0x000000000A4E0000-0x000000000A4E4000-memory.dmp

            Filesize

            16KB

          • memory/3380-1-0x00000000023A0000-0x00000000023A3000-memory.dmp

            Filesize

            12KB

          • memory/3580-66-0x000001FA24380000-0x000001FA24526000-memory.dmp

            Filesize

            1.6MB