Analysis

  • max time kernel
    29s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2023, 12:17

General

  • Target

    d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe

  • Size

    274KB

  • MD5

    611cfe7ca2001a07c9a7e18958319ccd

  • SHA1

    3d791cbc2880ff92bffc1561d235fdaf49f86b71

  • SHA256

    d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751

  • SHA512

    fe20ebf88e8b1fd319b5992fbbacd8d4700e60449c81e9507f7f6821889b2ecd51326bbd92a215e0a9c47e602b60456f7097a4a0d7c2097b1f0032d477b064eb

  • SSDEEP

    6144:qbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:qPcrfR6ZnOkx2LIa

Score
7/10

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Windows directory 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe
        "C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe"
        2⤵
        • Drops file in Windows directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe"
          3⤵
            PID:2116
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 1
        1⤵
        • Delays execution with timeout.exe
        PID:872

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

              Filesize

              2KB

              MD5

              9ba47a279b7950e198b6076171704bd8

              SHA1

              2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab

              SHA256

              1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6

              SHA512

              d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

              Filesize

              1KB

              MD5

              b3e886f0a26b67c1234b30c755341758

              SHA1

              8a881fb559672e95834def740fc5ba017879b0db

              SHA256

              808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f

              SHA512

              66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

              Filesize

              484B

              MD5

              9f1184044beca878542f59369e358ce1

              SHA1

              aa665e3c700c5cfed154bf9c6d4fa906d8c8920a

              SHA256

              c068c49f32f697284c9054355c0529a61533db82b06bce30ec9b69cae3e782bc

              SHA512

              b2a30bdd01a903ef6c329d4c33cb5d96b719f0c6ea4d1527989de444c0fcb3b8407cb409c7d54676f3ebee420877b2764e8fa8c6d04a7acb54f799212839e8ff

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              00a9d8018637d69a17ee580c888d107c

              SHA1

              7d956d925e02cb2f3ac34233f0b7d664208f9f39

              SHA256

              484fcd0457cfb06e2c6cea0fcbe40c3c45c7b3a15222bdef658005eae686221a

              SHA512

              560a6866c23d35ef4c5a9d86a7b33ca0ba19be2d1441b2df6654ce1cb9dda1356ce20d876b89724ef72974c52b529a73edb919cc7eef505d74df26e02fa06720

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              9318e0f252d58eb6e35483712efcc717

              SHA1

              cbd9f799877d7a0e2928dd1aabe3bf77dcd76c72

              SHA256

              6224316c8a1c5c843cd72c105e932dc473b0540a1ec9939fad784072459fd365

              SHA512

              80c60d5b22f827bee28b18e6f38f193e3ff8cbb8ffe987a443ffc9376276dd649676f26ae60a23bd32e3e09af639acc770a0449184eb9d2f660fa1bdabfbcb01

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

              Filesize

              482B

              MD5

              250f18d91164673dbe96fdebcbec1dfb

              SHA1

              def0663ca96c89f0da5ad38edb9a6a4519c59607

              SHA256

              cf870106ef5c647b128f819b32ab5c58aab9f2024e7f4df1e26df41ed6e1dde8

              SHA512

              b9a48a685f4630c2551fb9eebe913acba254fc999c82d0fc041dd788fc24ffb0a3996d52e2e365525878f93963dac1cdaa77bae01034e11b3350ad27562d23ad

            • C:\Users\Admin\AppData\Local\Temp\Tar3FE5.tmp

              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

            • C:\Windows\KsoKRA5ohW5.sys

              Filesize

              415KB

              MD5

              0f1f19828831d42ecef57452a8f68330

              SHA1

              af1d89ea4f60d300971900af154758b2f891c04e

              SHA256

              91077a367038e9e8c06258fcb5f3f0b968491a0b09e7aed80e49ec0cf13d27b9

              SHA512

              dc8d698d4420e5060677cf1f0dce2238c7e7affeb2e92b01e8764a918e4465074cf578836747fe50415db090832cf12c760198241d695ce84e22c5f2145f66dc

            • C:\Windows\UpzR0OcX8BVT.sys

              Filesize

              447KB

              MD5

              0812322e8108b35fe46f66bd8d718811

              SHA1

              ce0ee5df291e5793f6331a5deb83fd9e9c7aeeaf

              SHA256

              2d8493b42c162f70adae5ad3b4bc90eb170ff4152c381e4264ddac2445fe1a31

              SHA512

              2cbbae3cc31e77c0f15ebb47b1ddd793297eb23f9f77b2d6b1f11142d4370ba419f43c2af25345aa7a4f2113913867be064805a31893466c4913c7119719d271

            • C:\Windows\Vl6achcxdKN0.sys

              Filesize

              447KB

              MD5

              d15f5f23df8036bd5089ce8d151b0e0d

              SHA1

              4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

              SHA256

              f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

              SHA512

              feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

            • C:\Windows\bOraNqRSekTk0o.sys

              Filesize

              415KB

              MD5

              64bc1983743c584a9ad09dacf12792e5

              SHA1

              0f14098f523d21f11129c4df09451413ddff6d61

              SHA256

              057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

              SHA512

              9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

            • memory/424-650-0x00000000004B0000-0x00000000004B3000-memory.dmp

              Filesize

              12KB

            • memory/424-651-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/424-653-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/424-706-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1172-842-0x0000000000120000-0x0000000000121000-memory.dmp

              Filesize

              4KB

            • memory/1172-852-0x0000000000160000-0x0000000000163000-memory.dmp

              Filesize

              12KB

            • memory/1172-861-0x0000000000200000-0x0000000000201000-memory.dmp

              Filesize

              4KB

            • memory/1172-860-0x0000000002060000-0x000000000210F000-memory.dmp

              Filesize

              700KB

            • memory/1172-854-0x0000000000160000-0x0000000000163000-memory.dmp

              Filesize

              12KB

            • memory/1172-848-0x0000000000160000-0x0000000000163000-memory.dmp

              Filesize

              12KB

            • memory/1172-840-0x0000000001FB0000-0x000000000205A000-memory.dmp

              Filesize

              680KB

            • memory/1172-864-0x0000000002060000-0x000000000210F000-memory.dmp

              Filesize

              700KB

            • memory/1208-710-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-856-0x0000000008EA0000-0x0000000008EA4000-memory.dmp

              Filesize

              16KB

            • memory/1208-863-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

              Filesize

              700KB

            • memory/1208-718-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

              Filesize

              700KB

            • memory/1208-712-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-713-0x0000000002E40000-0x0000000002E41000-memory.dmp

              Filesize

              4KB

            • memory/1208-714-0x0000000002E40000-0x0000000002E41000-memory.dmp

              Filesize

              4KB

            • memory/1208-716-0x0000000002E40000-0x0000000002E41000-memory.dmp

              Filesize

              4KB

            • memory/1208-715-0x0000000002E40000-0x0000000002E41000-memory.dmp

              Filesize

              4KB

            • memory/1208-709-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-707-0x0000000037C10000-0x0000000037C20000-memory.dmp

              Filesize

              64KB

            • memory/1208-696-0x00000000049B0000-0x0000000004A61000-memory.dmp

              Filesize

              708KB

            • memory/1208-835-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

              Filesize

              700KB

            • memory/1208-834-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-862-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

              Filesize

              700KB

            • memory/1208-711-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-839-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

              Filesize

              4KB

            • memory/1208-642-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

              Filesize

              12KB

            • memory/1208-859-0x0000000002E40000-0x0000000002E41000-memory.dmp

              Filesize

              4KB

            • memory/1208-858-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-857-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-855-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

              Filesize

              4KB

            • memory/1208-646-0x00000000049B0000-0x0000000004A61000-memory.dmp

              Filesize

              708KB

            • memory/1208-853-0x00000000004C0000-0x00000000004E8000-memory.dmp

              Filesize

              160KB

            • memory/1208-648-0x000007FEBE130000-0x000007FEBE140000-memory.dmp

              Filesize

              64KB

            • memory/1208-644-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

              Filesize

              12KB

            • memory/2988-438-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

              Filesize

              560KB

            • memory/2988-661-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

              Filesize

              560KB

            • memory/2988-680-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

              Filesize

              560KB

            • memory/2988-0-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

              Filesize

              560KB

            • memory/2988-155-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

              Filesize

              560KB