Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 20:35

General

  • Target

    3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe

  • Size

    545KB

  • MD5

    53d5101bf73ad81743a6b8e94deee77f

  • SHA1

    0e997ff5b72fec6ba747aac8405e6d85ad625050

  • SHA256

    3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c

  • SHA512

    9b819d023c928ccb6802f38bb46c1734fd4f7f2188f962cc38bfa3f1641655c1121d7a51edfd9e9724079b5c848e40929d67fb819bf2a8978b37614ec4305b10

  • SSDEEP

    6144:vhjxrU2+7kO+4LT9FD/QOuVkJpFYcEOkCybEaQRXr9HNdvOaAC6:vvr+M4H9FrGVkwOkx2LIat6

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 9 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe
        "C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"
        2⤵
        • Drops file in Windows directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2672
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1152

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            2KB

            MD5

            9ba47a279b7950e198b6076171704bd8

            SHA1

            2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab

            SHA256

            1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6

            SHA512

            d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            1KB

            MD5

            b3e886f0a26b67c1234b30c755341758

            SHA1

            8a881fb559672e95834def740fc5ba017879b0db

            SHA256

            808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f

            SHA512

            66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            599B

            MD5

            3fefedd2d651734aab0aff2f8161db56

            SHA1

            eda0d013d0db080e6477965234bf4db2aceb215e

            SHA256

            4a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01

            SHA512

            0ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            484B

            MD5

            af4aa3e6fa5a8265a52988e582ddd77e

            SHA1

            c45b868f3e3558a1520d0e256da8aa3e2bd76dfb

            SHA256

            5dd2a58e84528fd54c5514ce1f21492cd4cfcac3d1d5dedc4ea53028562c5e20

            SHA512

            28141f0a7fc810f3a2df667aff275920837745a03d93478763a364f2c8195c813bd5f517c6a14602b0d52640692b664aa34abf0f57c9fcffde618132d7d16656

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            6581f07197fd48abed1b88afc3e1ca0a

            SHA1

            604d96025bf04c5302812e974bf58c98ffdb84fc

            SHA256

            584c154bf4bfdab27ba7d0ad747d876f2a96e9ce2b74143ea68c6f80639464b8

            SHA512

            56968fcc894e1d7ff6248f2dedcd2850faa7c656dc64e15d0312fd63ef2c37f13558fa46dd62310195fad837d2706c7a7241f8128396669fa095056187867bc7

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            9c65ee516ed57d976665f4ba6e7da04d

            SHA1

            076dfc099b7ac70f80c43cb2d4ba37acb29f35b9

            SHA256

            542e6148e4732fe84a9060fa8d834d73975d709a93ff84172630359367064371

            SHA512

            bc1a1ee04e899bdb9d4ede3550a75cffd9c98391ddfcd28b8c0890958d9d60054ac0de818f0039663d1fd1b3137b26e82f79aed333c1d283d0a07828d18b12b1

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            482B

            MD5

            94a27ce0e6449be9e955fafd976ee746

            SHA1

            ac9ca68b1b088d508408966c0e51146d121604ea

            SHA256

            8e4f059c414fe68ca4521f705a1576adf0b9193ab52b05e0bee6f7a2eee64f8a

            SHA512

            c3799b80bb7a4a6d40d79740f59050654925a5abe8e780c75e83cfdd3d97bc11bdde0e5495cdd276f0e33112f6e2107d82d057afdb9186cefe139f12b85c8e0c

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            504B

            MD5

            efae7df0182bae8d2f6f9ef7f2cad5d6

            SHA1

            d16e5be1f81741a192e686072013eabbee03bcfb

            SHA256

            6bee2767225a97cb4ece1a98374fbfdc807a543f28c8af642f407616d8bf97fd

            SHA512

            b21ff66a45d26eefd11cbe0cea46466d7c3be1886e62de2733481b725cffa6fa62e3f8d453e6da46942c3be83551b89778327f697baa08492fde142b78d99443

          • C:\Users\Admin\AppData\Local\Temp\Tar4773.tmp

            Filesize

            171KB

            MD5

            9c0c641c06238516f27941aa1166d427

            SHA1

            64cd549fb8cf014fcd9312aa7a5b023847b6c977

            SHA256

            4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

            SHA512

            936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          • C:\Windows\1tpK7hZEkNer.sys

            Filesize

            415KB

            MD5

            a5739c49ec1255fe87cc5712a66cb7b5

            SHA1

            ee12e93e77773efaf14ecc114253bfd2fa6cd0eb

            SHA256

            f4943dc2cdf234ac42fa553c425f2325b03775af4e482de6c58bc0895fc43752

            SHA512

            2ecb9046fae8bc01d266b162707b8dc145bab64921cb4f492d9e1eb5692bb5dcced1ad9793c20598d27011f300f9ff59c9610b6d13077f8a8cec6c8617b31eba

          • C:\Windows\70lEBHtTgh.sys

            Filesize

            415KB

            MD5

            64bc1983743c584a9ad09dacf12792e5

            SHA1

            0f14098f523d21f11129c4df09451413ddff6d61

            SHA256

            057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

            SHA512

            9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

          • C:\Windows\RvbVdxhdgIU.sys

            Filesize

            447KB

            MD5

            d15f5f23df8036bd5089ce8d151b0e0d

            SHA1

            4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

            SHA256

            f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

            SHA512

            feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

          • C:\Windows\xIbu9FjoZRz7.sys

            Filesize

            447KB

            MD5

            5e842a9d9ebc88025471b3bff3e233b9

            SHA1

            d44ede07cb1fbf4387d5d6ddd700ff87093bcec6

            SHA256

            f65695ad21125414c001abc88873f7aa828d3d603c82b38d70bac393ba429600

            SHA512

            204e5cfdeddf5ec9b73b1910a6bc5918b3c4d5341639e41a96fd979c6d48470564706d10bf92175b148a2cb192f53f6f015cae7e8d42a8070a419df0c7bee8f6

          • memory/424-663-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/424-661-0x0000000000860000-0x0000000000863000-memory.dmp

            Filesize

            12KB

          • memory/424-724-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1152-860-0x00000000002D0000-0x00000000002D3000-memory.dmp

            Filesize

            12KB

          • memory/1152-851-0x0000000001C00000-0x0000000001CAA000-memory.dmp

            Filesize

            680KB

          • memory/1152-876-0x0000000002050000-0x00000000020FF000-memory.dmp

            Filesize

            700KB

          • memory/1152-870-0x00000000002F0000-0x00000000002F1000-memory.dmp

            Filesize

            4KB

          • memory/1152-867-0x00000000002F0000-0x00000000002F1000-memory.dmp

            Filesize

            4KB

          • memory/1152-866-0x0000000002050000-0x00000000020FF000-memory.dmp

            Filesize

            700KB

          • memory/1152-865-0x00000000002D0000-0x00000000002D3000-memory.dmp

            Filesize

            12KB

          • memory/1152-864-0x00000000002D0000-0x00000000002D3000-memory.dmp

            Filesize

            12KB

          • memory/1152-853-0x00000000002A0000-0x00000000002A1000-memory.dmp

            Filesize

            4KB

          • memory/1232-720-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1232-858-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-722-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-719-0x0000000008A80000-0x0000000008B31000-memory.dmp

            Filesize

            708KB

          • memory/1232-717-0x0000000037040000-0x0000000037050000-memory.dmp

            Filesize

            64KB

          • memory/1232-723-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-659-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

            Filesize

            64KB

          • memory/1232-658-0x0000000008A80000-0x0000000008B31000-memory.dmp

            Filesize

            708KB

          • memory/1232-654-0x0000000002220000-0x0000000002223000-memory.dmp

            Filesize

            12KB

          • memory/1232-656-0x0000000002220000-0x0000000002223000-memory.dmp

            Filesize

            12KB

          • memory/1232-652-0x0000000002220000-0x0000000002223000-memory.dmp

            Filesize

            12KB

          • memory/1232-875-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-850-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-852-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-730-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1232-854-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1232-856-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-732-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-729-0x000007FEC8790000-0x000007FEC879A000-memory.dmp

            Filesize

            40KB

          • memory/1232-874-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-728-0x000007FEF57C0000-0x000007FEF5903000-memory.dmp

            Filesize

            1.3MB

          • memory/1232-727-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-726-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-868-0x0000000002C50000-0x0000000002C51000-memory.dmp

            Filesize

            4KB

          • memory/1232-725-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-721-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1232-869-0x0000000009620000-0x0000000009624000-memory.dmp

            Filesize

            16KB

          • memory/1232-871-0x000007FEF57C0000-0x000007FEF5903000-memory.dmp

            Filesize

            1.3MB

          • memory/1232-873-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/1232-872-0x0000000009570000-0x000000000961F000-memory.dmp

            Filesize

            700KB

          • memory/2228-0-0x0000000000F20000-0x0000000000FAF000-memory.dmp

            Filesize

            572KB

          • memory/2228-488-0x0000000000F20000-0x0000000000FAF000-memory.dmp

            Filesize

            572KB

          • memory/2228-707-0x0000000000F20000-0x0000000000FAF000-memory.dmp

            Filesize

            572KB