Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 20:38

General

  • Target

    60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe

  • Size

    545KB

  • MD5

    4650fd56e68b1c5c263336068c266a71

  • SHA1

    0a8517213b495344d06768df242a28d9d99cde05

  • SHA256

    60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d

  • SHA512

    f605c74d1751d41460e6f6b84a2a7397c2e9fdd9485350a894abde04ec614e6035a6c2e47d29d9a393bb0b3e64155156a9ca8534e263559e7efbc1ed68ac6e70

  • SSDEEP

    6144:yhjxrU2+7kO+4LT9FD/QOuVkJpFYcEOkCybEaQRXr9HNdvOaAC6:yvr+M4H9FrGVkwOkx2LIat6

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 9 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe
        "C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"
        2⤵
        • Drops file in Windows directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:1564

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            2KB

            MD5

            9ba47a279b7950e198b6076171704bd8

            SHA1

            2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab

            SHA256

            1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6

            SHA512

            d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            1KB

            MD5

            b3e886f0a26b67c1234b30c755341758

            SHA1

            8a881fb559672e95834def740fc5ba017879b0db

            SHA256

            808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f

            SHA512

            66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            599B

            MD5

            3fefedd2d651734aab0aff2f8161db56

            SHA1

            eda0d013d0db080e6477965234bf4db2aceb215e

            SHA256

            4a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01

            SHA512

            0ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            484B

            MD5

            ad6eee3bc40a4d01931d53dd3050f1ed

            SHA1

            31618360c73df64b19ed2ad0d6e12488fcb3a460

            SHA256

            f9397156fa4e1e02ef0724e2ef970600f62f69ce7a390bfaa38c773f43a26d5c

            SHA512

            0e25c56861bda0618cffe9329f031a54966d5759fd05df95af1ef44d33ee2d1bb63785ed664fe7f016abe2e30c8aae8a776dffdae308432785ba2481c7bf3b19

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            dbccdcc9c1eb9d0cb0ffd527684f0b7a

            SHA1

            613bbcd163182a614845bfe3fcef6a1bc643c862

            SHA256

            bb15336f806aebd87db85734d81a85684d35a01cfbb704206099dcca2fde2da7

            SHA512

            bedc030bad4b1e2a006457b82826b9b8c38cdf1653f6f127cd102792361bc7c90de93ef4aa2866527cff84471ce71dff396a8ae91be076e076d51eccf6dd4f68

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            d1d75c7d7c0610e4757d8584fb705780

            SHA1

            595fff22bba4ec4daaf9ac2e48ea5c71a5a709d3

            SHA256

            e83c5d5be485c93b6991359d722745f24d8466b3da197835c964ff6a1610966b

            SHA512

            d3b7ccb7b88f7498b94961f79e401135bc9e60453f15be517794f834243d9e08ce61fd1ab6c8fc8dd659735aa3a17a983244a7db1d488107605cb279c895bbf4

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            482B

            MD5

            e722777424420d7db5a2e0b0dd481921

            SHA1

            0ae284a19cbf46182c84b0408ab71f423a73c991

            SHA256

            5bc303c1b965aca9f59b5e8cd988ccc7ae36fc02cc93bc6eb7b2a0d213d05e9c

            SHA512

            0d312f65663ef52caf83b9b80725bbd609e183bac7d177457bc7b3df49d9f71a5f2a849d8ce98f7f6b2c17aa70c570ec4eadb19951b3cca0fb01c71b60cd926a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            504B

            MD5

            d3a51fc08a8ebd6e79978edac007d197

            SHA1

            3a61b400ab126ac21c24a96a3f21207ccf46aa6e

            SHA256

            315cbb16bba3dfc1a3264746fd366132af75c33aa376c63d480a1cc4895661a9

            SHA512

            263d57f4e80332af94bf1aab478fac6a9692f1849b9549050f9ff3f2d0887f63dc4d72b8604dc0654e875ea0460d49c8a5038be5d033d1bf82a0a926e6f4fd7f

          • C:\Users\Admin\AppData\Local\Temp\TarA6D1.tmp

            Filesize

            171KB

            MD5

            9c0c641c06238516f27941aa1166d427

            SHA1

            64cd549fb8cf014fcd9312aa7a5b023847b6c977

            SHA256

            4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

            SHA512

            936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          • C:\Windows\Ai0Itwvn5j6TU.sys

            Filesize

            447KB

            MD5

            f696aab1d8af39b5bda5edc6b7cc12d6

            SHA1

            6cc11c321728608e7c3b202a9d53c39f33d6e8d7

            SHA256

            0520e04d912fe979e0382e7285dd919bc0e3e0606a3c398c64e0b799f1613321

            SHA512

            9ba2564216e025eba689b46e88ce1322fb6cccac2eba68a9a630ee0b8002c05921a953d67cc1709efb4d9c85361b5a80a56d79fda065b709e67812e704b9f706

          • C:\Windows\CYZQBdeHFWjt8D.sys

            Filesize

            415KB

            MD5

            64bc1983743c584a9ad09dacf12792e5

            SHA1

            0f14098f523d21f11129c4df09451413ddff6d61

            SHA256

            057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

            SHA512

            9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

          • C:\Windows\RO5Akibtm0T4H.sys

            Filesize

            447KB

            MD5

            d15f5f23df8036bd5089ce8d151b0e0d

            SHA1

            4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

            SHA256

            f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

            SHA512

            feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

          • C:\Windows\wAArsC3ifQTL.sys

            Filesize

            415KB

            MD5

            6a091df465562a3766d0fe5635bc3937

            SHA1

            ea517d7963ea9208de48ed90187c044a6f2869d3

            SHA256

            bd53820f8615692b08b22cb40644f57336abee92a25b3f075bae19fb3879e4f5

            SHA512

            f2d2a890d559c2562a22074dfed7f25fc11e96df8de7238609aea87d50ed1f352852cde38b14954c104e0f0d7746980c7b01f0479e1fad67b1ceccfc732968c7

          • memory/420-651-0x00000000008F0000-0x0000000000918000-memory.dmp

            Filesize

            160KB

          • memory/1160-842-0x0000000001C60000-0x0000000001C63000-memory.dmp

            Filesize

            12KB

          • memory/1160-835-0x0000000001F20000-0x0000000001FCA000-memory.dmp

            Filesize

            680KB

          • memory/1160-882-0x00000000033C0000-0x000000000346F000-memory.dmp

            Filesize

            700KB

          • memory/1160-850-0x0000000001C80000-0x0000000001C81000-memory.dmp

            Filesize

            4KB

          • memory/1160-849-0x0000000001C80000-0x0000000001C81000-memory.dmp

            Filesize

            4KB

          • memory/1160-848-0x0000000001FD0000-0x000000000207F000-memory.dmp

            Filesize

            700KB

          • memory/1160-847-0x0000000001C60000-0x0000000001C63000-memory.dmp

            Filesize

            12KB

          • memory/1160-846-0x0000000001C60000-0x0000000001C63000-memory.dmp

            Filesize

            12KB

          • memory/1160-885-0x0000000001FD0000-0x000000000207F000-memory.dmp

            Filesize

            700KB

          • memory/1160-839-0x0000000001B40000-0x0000000001B41000-memory.dmp

            Filesize

            4KB

          • memory/1232-706-0x00000000008F0000-0x0000000000918000-memory.dmp

            Filesize

            160KB

          • memory/1232-836-0x0000000009390000-0x000000000943F000-memory.dmp

            Filesize

            700KB

          • memory/1232-702-0x0000000037B00000-0x0000000037B10000-memory.dmp

            Filesize

            64KB

          • memory/1232-647-0x000007FEBE1B0000-0x000007FEBE1C0000-memory.dmp

            Filesize

            64KB

          • memory/1232-648-0x0000000004EC0000-0x0000000004F71000-memory.dmp

            Filesize

            708KB

          • memory/1232-645-0x0000000002790000-0x0000000002793000-memory.dmp

            Filesize

            12KB

          • memory/1232-646-0x0000000004EC0000-0x0000000004F71000-memory.dmp

            Filesize

            708KB

          • memory/1232-643-0x0000000002790000-0x0000000002793000-memory.dmp

            Filesize

            12KB

          • memory/1232-884-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

            Filesize

            4KB

          • memory/1232-886-0x000000000ADF0000-0x000000000AE9F000-memory.dmp

            Filesize

            700KB

          • memory/1232-710-0x0000000004EC0000-0x0000000004F71000-memory.dmp

            Filesize

            708KB

          • memory/1232-834-0x00000000008F0000-0x0000000000918000-memory.dmp

            Filesize

            160KB

          • memory/1232-641-0x0000000002790000-0x0000000002793000-memory.dmp

            Filesize

            12KB

          • memory/1232-704-0x00000000008F0000-0x0000000000918000-memory.dmp

            Filesize

            160KB

          • memory/1232-837-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

          • memory/1232-715-0x0000000009390000-0x000000000943F000-memory.dmp

            Filesize

            700KB

          • memory/1232-713-0x0000000009390000-0x000000000943F000-memory.dmp

            Filesize

            700KB

          • memory/1232-712-0x00000000008F0000-0x0000000000918000-memory.dmp

            Filesize

            160KB

          • memory/1232-711-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

          • memory/1232-833-0x0000000009390000-0x000000000943F000-memory.dmp

            Filesize

            700KB

          • memory/1232-708-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

          • memory/1232-709-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

          • memory/1232-865-0x000000000ADF0000-0x000000000AE9F000-memory.dmp

            Filesize

            700KB

          • memory/1232-869-0x000000000ADF0000-0x000000000AE9F000-memory.dmp

            Filesize

            700KB

          • memory/1232-867-0x0000000009390000-0x000000000943F000-memory.dmp

            Filesize

            700KB

          • memory/1232-707-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

          • memory/1232-883-0x0000000009390000-0x000000000943F000-memory.dmp

            Filesize

            700KB

          • memory/2852-705-0x0000000000350000-0x00000000003DF000-memory.dmp

            Filesize

            572KB

          • memory/2852-0-0x0000000000350000-0x00000000003DF000-memory.dmp

            Filesize

            572KB

          • memory/2852-71-0x0000000000350000-0x00000000003DF000-memory.dmp

            Filesize

            572KB