Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 20:38
Behavioral task
behavioral1
Sample
60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe
Resource
win7-20231023-en
General
-
Target
60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe
-
Size
545KB
-
MD5
4650fd56e68b1c5c263336068c266a71
-
SHA1
0a8517213b495344d06768df242a28d9d99cde05
-
SHA256
60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d
-
SHA512
f605c74d1751d41460e6f6b84a2a7397c2e9fdd9485350a894abde04ec614e6035a6c2e47d29d9a393bb0b3e64155156a9ca8534e263559e7efbc1ed68ac6e70
-
SSDEEP
6144:yhjxrU2+7kO+4LT9FD/QOuVkJpFYcEOkCybEaQRXr9HNdvOaAC6:yvr+M4H9FrGVkwOkx2LIat6
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\System32\drivers\KLJyuwD0.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\FBkrKBIoYPe.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\Az7DuQt9Cg3Ca.rgm Explorer.EXE File opened for modification C:\Windows\system32\drivers\jXzwfYtlMqB.pst Explorer.EXE File opened for modification C:\Windows\system32\drivers\p1TkKXdBF9.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\eozaedxRVi.hxk Explorer.EXE File opened for modification C:\Windows\system32\drivers\8KmbJGGgwL1Ksm.ign Explorer.EXE File opened for modification C:\Windows\system32\drivers\gpMBNmeeJO1.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\7vXCfnBP0aRh.sys Explorer.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe -
resource yara_rule behavioral2/memory/2260-0-0x0000000000430000-0x00000000004BF000-memory.dmp upx behavioral2/memory/2260-15-0x0000000000430000-0x00000000004BF000-memory.dmp upx behavioral2/memory/2260-67-0x0000000000430000-0x00000000004BF000-memory.dmp upx -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x00080000000231f5-86.dat vmprotect behavioral2/files/0x000a0000000231f5-114.dat vmprotect behavioral2/files/0x0008000000023231-142.dat vmprotect behavioral2/files/0x0008000000023233-170.dat vmprotect -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\HFZrhhf1SKEQ.kac Explorer.EXE File opened for modification C:\Windows\system32\Mw4bg3d52yY21d.sys Explorer.EXE File opened for modification C:\Windows\system32\fbAxxIYB7lPKpf.hlk Explorer.EXE File created C:\Windows\system32\ \Windows\System32\nTE2rOl.sys Explorer.EXE File opened for modification C:\Windows\system32\tzfFEO9pva9.asm Explorer.EXE File opened for modification C:\Windows\system32\xSVBiS3G5cqxYw.sys Explorer.EXE File opened for modification C:\Windows\system32\jquEIUUNNTsQgG.sys Explorer.EXE File opened for modification C:\Windows\system32\sjNYwlsAK2.ywb Explorer.EXE File opened for modification C:\Windows\system32\2xwmOxmotIBi4.sys Explorer.EXE -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Google\manifest.json Explorer.EXE File opened for modification C:\Program Files\Google\3962a7dc.js Explorer.EXE File opened for modification C:\Program Files\LeuOWYxIru.sys Explorer.EXE File opened for modification C:\Program Files (x86)\QasXFscW9zJ6Iq.sys Explorer.EXE File opened for modification C:\Program Files\ciEcPkE4Tp3nZW.sys Explorer.EXE File opened for modification C:\Program Files\Tbg1jpLegdb.sys Explorer.EXE File opened for modification C:\Program Files\yBqh4srI2KF6v.bdo Explorer.EXE File opened for modification C:\Program Files (x86)\44Aa9pgRj0.kxe Explorer.EXE File opened for modification C:\Program Files\Google\lib\646ca5c1.js Explorer.EXE File opened for modification C:\Program Files\6aaoVQYhCnU.ant Explorer.EXE File opened for modification C:\Program Files (x86)\Ebd0A3ieMTxY.sys Explorer.EXE File opened for modification C:\Program Files\NK1RJib5uqaY.yyo Explorer.EXE File opened for modification C:\Program Files (x86)\E1eAaV7Y1GbnZT.hbj Explorer.EXE File opened for modification C:\Program Files (x86)\3LL4Pa5p7SZWgA.zae Explorer.EXE File opened for modification C:\Program Files (x86)\DXwguNxn40J.sys Explorer.EXE File opened for modification C:\Program Files (x86)\K2eAk14v1Yzqo1.tzp Explorer.EXE File opened for modification C:\Program Files\Google\5613fbca.js Explorer.EXE File opened for modification C:\Program Files\pXh0eU8ZIv.yxn Explorer.EXE File opened for modification C:\Program Files\gyilEaNQFX9LZt.sys Explorer.EXE File opened for modification C:\Program Files (x86)\98aX4UdycEY.sys Explorer.EXE File opened for modification C:\Program Files\Google\47bb51d3.html Explorer.EXE -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\err_2260.log 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe File created C:\Windows\G8VClw4BB.sys Explorer.EXE File opened for modification C:\Windows\ME7MsVfOL74K4m.rqt Explorer.EXE File opened for modification C:\Windows\nP2H49EgmC.sys Explorer.EXE File opened for modification C:\Windows\uoEuwKet5h90g.sys Explorer.EXE File opened for modification C:\Windows\FkL8zGVWbqvsc.cpf Explorer.EXE File opened for modification C:\Windows\bQM8ehysQL.sys Explorer.EXE File opened for modification C:\Windows\6qEHxOiQXYab.ysg Explorer.EXE File opened for modification C:\Windows\q3ITf5slosddh.sys Explorer.EXE File opened for modification C:\Windows\C9VHS2lBpgP.fql Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 Explorer.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Explorer.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Explorer.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 1100 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3104 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeTcbPrivilege 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeIncBasePriorityPrivilege 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeShutdownPrivilege 3104 Explorer.EXE Token: SeCreatePagefilePrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeBackupPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 336 dwm.exe Token: SeBackupPrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3104 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3104 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 45 PID 2260 wrote to memory of 3104 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 45 PID 2260 wrote to memory of 3104 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 45 PID 2260 wrote to memory of 3104 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 45 PID 2260 wrote to memory of 3104 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 45 PID 2260 wrote to memory of 628 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 3 PID 2260 wrote to memory of 628 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 3 PID 2260 wrote to memory of 628 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 3 PID 2260 wrote to memory of 628 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 3 PID 2260 wrote to memory of 628 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 3 PID 2260 wrote to memory of 5008 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 102 PID 2260 wrote to memory of 5008 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 102 PID 2260 wrote to memory of 5008 2260 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 102 PID 5008 wrote to memory of 1100 5008 cmd.exe 104 PID 5008 wrote to memory of 1100 5008 cmd.exe 104 PID 5008 wrote to memory of 1100 5008 cmd.exe 104 PID 3104 wrote to memory of 336 3104 Explorer.EXE 9 PID 3104 wrote to memory of 336 3104 Explorer.EXE 9 PID 3104 wrote to memory of 336 3104 Explorer.EXE 9 PID 3104 wrote to memory of 336 3104 Explorer.EXE 9 PID 3104 wrote to memory of 336 3104 Explorer.EXE 9 PID 3104 wrote to memory of 336 3104 Explorer.EXE 9
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1100
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize2KB
MD59ba47a279b7950e198b6076171704bd8
SHA12d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA2561d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5b3e886f0a26b67c1234b30c755341758
SHA18a881fb559672e95834def740fc5ba017879b0db
SHA256808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA51266f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524
-
Filesize
599B
MD53fefedd2d651734aab0aff2f8161db56
SHA1eda0d013d0db080e6477965234bf4db2aceb215e
SHA2564a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA5120ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize484B
MD575e1eb6f9b3cf02628d36c709ef5f995
SHA1fb5a2fdf95cb3aa69f8181e22fe9d3ef75ab15a5
SHA256027a16445c86161b6d56b1fdf1f0e33fe6b822b50812dd2058b3ca88e7ab1b16
SHA512c5e7b18d38203415b3a8054082ab71de72c309cc3a739d32098076edc48e77bbd90dea738934a31d3b47494e4461b8786245c0cfa9c0c0e2b6e31c2caaf5cccd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5fe2a826a9186bcb85f88d9b954715207
SHA171e9ef8a19a9633f708ef3db043214d230854e9f
SHA25646d60f2b4f364803f09f3b0d13611c8bc42178c705204ffe58ab1b92f6c4446b
SHA512ffdad1fe3c71284b71f4e87a2a15de2f496801ebe522f4c23f94cec0f24ec17e9e6c5da518d8f7ce55debc7a9e94d2d40952e2cf41654529d6692b99efe117cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4
Filesize504B
MD5328fe64778d6b22effb27a8285f97bb6
SHA1bde1f04a0b7021938fcd863ab2a06a447dee2514
SHA256b810ed457397d134b738b82295df89fd75919ed001e76ac65cda215d7adf4521
SHA5120d25c056338e40a2785286cd6f3ec0c7d9e424f6e2c1fadff74e6767973164b6224e023b049fd41bb820049ffbbd2cb8689f63da1b61056a6b56969909ff2456
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
Filesize
415KB
MD5154cc4552fff2c92f55f03921faccb84
SHA1c43e5d10d6b5422606058e5634b8e3447a1d5534
SHA256904f1147ae60b98a2cc88794b55c336b4bfd22f914a8435e59b8cd3b98e9abbb
SHA51217920389f50d8985434b70a7f121a952445f9e1f74b8f58b2a5cfc4cae02807380cb062222bb18212d0bcf7171105f96b38dfffa54b077ea37dc4105fbb4be0a
-
Filesize
447KB
MD59d77ff59a65f3ed0405190cb18d787e9
SHA14e5f7c4fd8888352bafa7ee5de3e696a9e6cbfff
SHA2564ce92697b780fea707db8de927b44d3f1f1119957b288da9450ed240b4a4dda7
SHA512f04086d9237380eeed3f10cf4675c2a7ad337db77954274e830cde97e7f689b890ba2089fa0126af54213f6f93893e145cbe41b556372a9fe677465462a4031e