Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
07-12-2023 19:54
General
-
Target
23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe
-
Size
223KB
-
MD5
aa7c1437997a0f1c1ae8d07ff907135a
-
SHA1
9a7e53855be3996f35854572cc5d9867e734f260
-
SHA256
23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8
-
SHA512
df285ebbbcf74a70aa5a60ed6f116b5b2d0799db321a4abb69ac19bbedab7ea1727a2ea7c1cd3f0d4626d59f200de0ce1d9a3b3f9616c371c54e8b90ebab765e
-
SSDEEP
3072:xZ7wXfSRZ0ON/EwW66wN94xu4CkAZJM2k5D66L+NfGbVON2Nqi/6gS5UoWXHz72n:7wPSUONLNsuWA7koN+boRi9S6oiz72D
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Drops file in Drivers directory 9 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Drops file in System32 directory 23 IoCs
-
Drops file in Program Files directory 26 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 12 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Help\msdtc.exe"C:\Windows\Help\msdtc.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe"3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\5UQL4XD0biI0G1.sysFilesize
415KB
MD586dcce1f65f56babe1312b8d63018391
SHA1735bb7f6884a6b26f548dbb567351ea21497d28a
SHA2560b1117aec00b614ad6c684147bf76530a096d86db537a280dec6b044de1c701b
SHA51238e3a53f158c8ff409dd8aba0eba6105dd04bbcd54bd63e1234d71d6656fc84e70643dd915e0293f42c322710ab2f0c01470ec72bded290407a6f907df3f0ea3
-
C:\Windows\9bI9sOdnNHvnsj.sysFilesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
C:\Windows\FAh9EvVHYcLJh2.sysFilesize
447KB
MD57ba2e5f80701b7c3c0d4a929f324de71
SHA1c91323cba3c0aaf968845ef750826f3fdadb4fde
SHA256d927f8e5073e0cc02ff0f29224390d2148268d6bec3a13c0052cb674c8d73ba9
SHA5129d0028f9857400bf9b4a3ac2d431ea79400072b82ae27ab434356ee0f61e55f31fee72301796d3d3e532b94d123c801c1c023a2d0eb0b7e14f679441e6ae951a
-
C:\Windows\Help\msdtc.exeFilesize
145KB
MD52ef846ac66e181be820b513dbc15b5d2
SHA18b4786eb9d864fc78bd99432ae0c78f887049461
SHA256edfe71025c352d0dabec7b9506c5945bb0ec11f8db540db8cb1116c2ea1648a8
SHA5122587acd723f515eb8fa1dd7016647079fd7af2a1c32f92ff344766803d524d9820bebaf21daa3b3d3556d2db8ab956a8a1682eaa46abb9b04a4c8e1e21321bdc
-
C:\Windows\Help\msdtc.exeFilesize
145KB
MD52ef846ac66e181be820b513dbc15b5d2
SHA18b4786eb9d864fc78bd99432ae0c78f887049461
SHA256edfe71025c352d0dabec7b9506c5945bb0ec11f8db540db8cb1116c2ea1648a8
SHA5122587acd723f515eb8fa1dd7016647079fd7af2a1c32f92ff344766803d524d9820bebaf21daa3b3d3556d2db8ab956a8a1682eaa46abb9b04a4c8e1e21321bdc
-
C:\Windows\Wvpk8ZFeDLv.sysFilesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
memory/316-343-0x0000020922270000-0x0000020922274000-memory.dmpFilesize
16KB
-
memory/316-339-0x0000020922120000-0x0000020922242000-memory.dmpFilesize
1.1MB
-
memory/316-340-0x0000020922260000-0x0000020922261000-memory.dmpFilesize
4KB
-
memory/316-346-0x0000020922120000-0x0000020922242000-memory.dmpFilesize
1.1MB
-
memory/588-66-0x000001DAEC160000-0x000001DAEC188000-memory.dmpFilesize
160KB
-
memory/588-17-0x000001DAEC150000-0x000001DAEC153000-memory.dmpFilesize
12KB
-
memory/588-19-0x000001DAEC160000-0x000001DAEC188000-memory.dmpFilesize
160KB
-
memory/588-20-0x000001DAEC1A0000-0x000001DAEC1A1000-memory.dmpFilesize
4KB
-
memory/588-67-0x000001DAEC1A0000-0x000001DAEC1A1000-memory.dmpFilesize
4KB
-
memory/1848-0-0x0000000000C60000-0x0000000000CCE000-memory.dmpFilesize
440KB
-
memory/1848-52-0x0000000000C60000-0x0000000000CCE000-memory.dmpFilesize
440KB
-
memory/1848-54-0x0000000000C60000-0x0000000000CCE000-memory.dmpFilesize
440KB
-
memory/2084-86-0x0000020E49EE0000-0x0000020E49EE1000-memory.dmpFilesize
4KB
-
memory/2084-149-0x0000020E49ED0000-0x0000020E49ED2000-memory.dmpFilesize
8KB
-
memory/2084-58-0x0000020E49EE0000-0x0000020E49EE1000-memory.dmpFilesize
4KB
-
memory/2084-57-0x0000020E49EF0000-0x0000020E49EF1000-memory.dmpFilesize
4KB
-
memory/2084-347-0x0000020E49CC0000-0x0000020E49CC1000-memory.dmpFilesize
4KB
-
memory/2084-10-0x0000020E47A20000-0x0000020E47A23000-memory.dmpFilesize
12KB
-
memory/2084-61-0x0000020E47CB0000-0x0000020E47D7B000-memory.dmpFilesize
812KB
-
memory/2084-62-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmpFilesize
4KB
-
memory/2084-63-0x0000020E47D80000-0x0000020E47D81000-memory.dmpFilesize
4KB
-
memory/2084-64-0x0000020E49EE0000-0x0000020E49EEF000-memory.dmpFilesize
60KB
-
memory/2084-65-0x0000020E49F30000-0x0000020E49FE7000-memory.dmpFilesize
732KB
-
memory/2084-55-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmpFilesize
4KB
-
memory/2084-53-0x0000020E49CC0000-0x0000020E49CC2000-memory.dmpFilesize
8KB
-
memory/2084-70-0x0000020E4A5A0000-0x0000020E4A5CE000-memory.dmpFilesize
184KB
-
memory/2084-332-0x0000020E49CC0000-0x0000020E49CC1000-memory.dmpFilesize
4KB
-
memory/2084-68-0x0000020E4B520000-0x0000020E4B642000-memory.dmpFilesize
1.1MB
-
memory/2084-76-0x0000020E49ED0000-0x0000020E49ED2000-memory.dmpFilesize
8KB
-
memory/2084-73-0x0000020E4A5D0000-0x0000020E4A5D1000-memory.dmpFilesize
4KB
-
memory/2084-80-0x0000020E4B950000-0x0000020E4BB1A000-memory.dmpFilesize
1.8MB
-
memory/2084-331-0x0000020E4B430000-0x0000020E4B43A000-memory.dmpFilesize
40KB
-
memory/2084-87-0x0000020E49EF0000-0x0000020E49EF1000-memory.dmpFilesize
4KB
-
memory/2084-51-0x00007FFA8ADE0000-0x00007FFA8ADF0000-memory.dmpFilesize
64KB
-
memory/2084-92-0x0000020E49ED0000-0x0000020E49ED2000-memory.dmpFilesize
8KB
-
memory/2084-94-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmpFilesize
4KB
-
memory/2084-15-0x00007FFA8ADE0000-0x00007FFA8ADF0000-memory.dmpFilesize
64KB
-
memory/2084-135-0x0000020E49F30000-0x0000020E49FE7000-memory.dmpFilesize
732KB
-
memory/2084-145-0x0000020E4B520000-0x0000020E4B642000-memory.dmpFilesize
1.1MB
-
memory/2084-141-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmpFilesize
4KB
-
memory/2084-13-0x0000020E47CB0000-0x0000020E47D7B000-memory.dmpFilesize
812KB
-
memory/2084-56-0x0000020E49EE0000-0x0000020E49EE1000-memory.dmpFilesize
4KB
-
memory/2084-14-0x0000020E47D80000-0x0000020E47D81000-memory.dmpFilesize
4KB
-
memory/2084-330-0x0000020E4A5E0000-0x0000020E4A5E1000-memory.dmpFilesize
4KB
-
memory/2084-323-0x0000020E4B430000-0x0000020E4B43A000-memory.dmpFilesize
40KB
-
memory/2084-11-0x0000020E47CB0000-0x0000020E47D7B000-memory.dmpFilesize
812KB
-
memory/3120-335-0x0000000002D20000-0x0000000002D23000-memory.dmpFilesize
12KB
-
memory/3120-1-0x0000000002EA0000-0x0000000002EA3000-memory.dmpFilesize
12KB
-
memory/3120-224-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-324-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-325-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-326-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-327-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-328-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-329-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-212-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-350-0x0000000008E80000-0x0000000008FA2000-memory.dmpFilesize
1.1MB
-
memory/3120-298-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-60-0x0000000008580000-0x0000000008677000-memory.dmpFilesize
988KB
-
memory/3120-338-0x0000000002D50000-0x0000000002D51000-memory.dmpFilesize
4KB
-
memory/3120-311-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-8-0x0000000008580000-0x0000000008677000-memory.dmpFilesize
988KB
-
memory/3120-341-0x0000000002D60000-0x0000000002D61000-memory.dmpFilesize
4KB
-
memory/3120-7-0x0000000002EC0000-0x0000000002EC1000-memory.dmpFilesize
4KB
-
memory/3120-2-0x0000000002EA0000-0x0000000002EA3000-memory.dmpFilesize
12KB
-
memory/3120-344-0x0000000008E80000-0x0000000008FA2000-memory.dmpFilesize
1.1MB
-
memory/3120-345-0x0000000008FB0000-0x0000000008FB4000-memory.dmpFilesize
16KB
-
memory/3120-72-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3120-59-0x0000000002EC0000-0x0000000002EC1000-memory.dmpFilesize
4KB
-
memory/4236-82-0x0000018482410000-0x00000184825B6000-memory.dmpFilesize
1.6MB