Analysis

  • max time kernel
    34s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2023, 12:31

General

  • Target

    d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe

  • Size

    274KB

  • MD5

    3770d583b1a66fa8ca3a9f92ed60b353

  • SHA1

    5227742ceb4796e724d7f8e7e8cd67fab764f864

  • SHA256

    d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8

  • SHA512

    83bd1f44c257775d957525801abf687f514995d0ebd84361c0bed1b7e19208704be5d87a76b08a71aa9dff5e79cf8e114f82b30cc6af7acfb619945b4e297023

  • SSDEEP

    6144:ZbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:ZPcrfR6ZnOkx2LIa

Score
7/10

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Windows directory 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe
    "C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"
      2⤵
        PID:2648
    • C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      1⤵
      • Delays execution with timeout.exe
      PID:2720

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            2KB

            MD5

            9ba47a279b7950e198b6076171704bd8

            SHA1

            2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab

            SHA256

            1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6

            SHA512

            d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            1KB

            MD5

            b3e886f0a26b67c1234b30c755341758

            SHA1

            8a881fb559672e95834def740fc5ba017879b0db

            SHA256

            808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f

            SHA512

            66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            599B

            MD5

            3fefedd2d651734aab0aff2f8161db56

            SHA1

            eda0d013d0db080e6477965234bf4db2aceb215e

            SHA256

            4a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01

            SHA512

            0ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            484B

            MD5

            f4bae28f6c27ac2939a2754ac6e39eb5

            SHA1

            cb660ea05989126263497854a6425589f66046f4

            SHA256

            715ef083b8e9fdcb5b7d82228b4e27d81ad6865407bda78a2d4435f64db8ba44

            SHA512

            0dd7252e1770c9fb616099f49ec885341fce928124e0977622117a172b1257d52e3bcc6c702347a29bb9e7472153913c367b1c425e704bca0928dabb2ac69458

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            2a778200afd260cf95c3c347d89e1f70

            SHA1

            2822fd32347c507fbe8e1227b0f2db71dae29c5c

            SHA256

            9769967e537a56a4d3b4ba592268af2befebfc597a6e0610647353b1189f88ab

            SHA512

            0e42c3dc37f9ce8df036be68b9786d5252f4356dc019ad7186947a1b779b0dc9c434bb1a6485b84d4c0a32e62db092296ebc60241856784555f8237fbf971629

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            482B

            MD5

            1cb60baade60395b180cff592e18c6b0

            SHA1

            85f55bf8cd7ce28e7db9bea66830fce37a2e1e4c

            SHA256

            61c281a1db2ff28b26beeafe98d8c05a140837572b2ecb542460fe0729ea1012

            SHA512

            bc5fc9d4769e84fdfd67e7262d8461969a1911712981227c58ae2127bd4ac08a54a56ee340ec9bb4abd7b5f0cfd7874542807b83e2ba733dfff645f616a16bf3

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            504B

            MD5

            a94ba2fbadef7e0d765f09a855914a73

            SHA1

            7bb4b4e56fd2fc27c2b9072a720bd6d47ea39429

            SHA256

            cf1301a175c767e7eeb0b2cefbfed9eea01376188eea9119f685953a490730b4

            SHA512

            e684b93ceb62dd175aa7b24a1d753c2877ff4be464f5d37d9ecf3a87b6794396805c65c3c0f94e979b2c43d50c2079253603ff03e2d821e9c2e6bcdd4ae5e529

          • C:\Users\Admin\AppData\Local\Temp\Tar4D3D.tmp

            Filesize

            171KB

            MD5

            9c0c641c06238516f27941aa1166d427

            SHA1

            64cd549fb8cf014fcd9312aa7a5b023847b6c977

            SHA256

            4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

            SHA512

            936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          • C:\Windows\51nYQPrcUIE.sys

            Filesize

            415KB

            MD5

            ae8b0f6f21de8de2314a2ff74e8fe49c

            SHA1

            76eb2832d27a0eddfd205a7ebe6469da60f3d82f

            SHA256

            61b87eaafbc5e4009de526d3562c19e9bc41a0a31cb76606606902c59dabec5a

            SHA512

            d46a19f4bbcf32770e8c77c059229d4d962156099759a4e7d12a7b9d61cb5629ef1e954a86397645c4f3ad7981c4932611cc7c07da633ba029b7de5829f693e8

          • C:\Windows\EmyaFqNrqiPmWl.sys

            Filesize

            447KB

            MD5

            eb2688a5d3f60b3749fc4db6269e09d7

            SHA1

            a15107f1c1393bc1d8bb445053a7587195238871

            SHA256

            1088684f02079ed67f61203e0f5932484b436e790dfb8a43d17cffcf035c2aa9

            SHA512

            9904c7dafceda71e15da14653a0eac9623ede4cd88f54a6be0ce9d19a9b2730491b0ab0044a31de996edef12a1ae5697906de6a9bd3678814bc4026b62570ca5

          • C:\Windows\HDUwcwuxnhYC.sys

            Filesize

            415KB

            MD5

            64bc1983743c584a9ad09dacf12792e5

            SHA1

            0f14098f523d21f11129c4df09451413ddff6d61

            SHA256

            057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

            SHA512

            9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

          • C:\Windows\Z5TAdfX37ujPIj.sys

            Filesize

            447KB

            MD5

            d15f5f23df8036bd5089ce8d151b0e0d

            SHA1

            4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

            SHA256

            f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

            SHA512

            feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

          • memory/420-654-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/420-711-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1172-858-0x0000000000330000-0x0000000000331000-memory.dmp

            Filesize

            4KB

          • memory/1172-855-0x00000000001D0000-0x00000000001D3000-memory.dmp

            Filesize

            12KB

          • memory/1172-893-0x00000000020F0000-0x000000000219F000-memory.dmp

            Filesize

            700KB

          • memory/1172-889-0x0000000002520000-0x0000000002523000-memory.dmp

            Filesize

            12KB

          • memory/1172-892-0x00000000034A0000-0x000000000354F000-memory.dmp

            Filesize

            700KB

          • memory/1172-843-0x0000000000280000-0x000000000032A000-memory.dmp

            Filesize

            680KB

          • memory/1172-845-0x00000000001A0000-0x00000000001A1000-memory.dmp

            Filesize

            4KB

          • memory/1172-851-0x00000000001D0000-0x00000000001D3000-memory.dmp

            Filesize

            12KB

          • memory/1172-856-0x00000000001D0000-0x00000000001D3000-memory.dmp

            Filesize

            12KB

          • memory/1172-857-0x00000000020F0000-0x000000000219F000-memory.dmp

            Filesize

            700KB

          • memory/1224-712-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-841-0x0000000003A00000-0x0000000003A01000-memory.dmp

            Filesize

            4KB

          • memory/1224-721-0x0000000003AB0000-0x0000000003B5F000-memory.dmp

            Filesize

            700KB

          • memory/1224-894-0x000000000AE40000-0x000000000AEEF000-memory.dmp

            Filesize

            700KB

          • memory/1224-644-0x0000000002AF0000-0x0000000002AF3000-memory.dmp

            Filesize

            12KB

          • memory/1224-650-0x000007FEBF910000-0x000007FEBF920000-memory.dmp

            Filesize

            64KB

          • memory/1224-651-0x0000000004CB0000-0x0000000004D61000-memory.dmp

            Filesize

            708KB

          • memory/1224-649-0x0000000002AF0000-0x0000000002AF3000-memory.dmp

            Filesize

            12KB

          • memory/1224-647-0x0000000004CB0000-0x0000000004D61000-memory.dmp

            Filesize

            708KB

          • memory/1224-646-0x0000000002AF0000-0x0000000002AF3000-memory.dmp

            Filesize

            12KB

          • memory/1224-710-0x0000000004CB0000-0x0000000004D61000-memory.dmp

            Filesize

            708KB

          • memory/1224-707-0x00000000377D0000-0x00000000377E0000-memory.dmp

            Filesize

            64KB

          • memory/1224-891-0x0000000003A00000-0x0000000003A01000-memory.dmp

            Filesize

            4KB

          • memory/1224-839-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1224-840-0x0000000003AB0000-0x0000000003B5F000-memory.dmp

            Filesize

            700KB

          • memory/1224-709-0x0000000000870000-0x0000000000898000-memory.dmp

            Filesize

            160KB

          • memory/1224-713-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-716-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-714-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-715-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-717-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-718-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-719-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-842-0x00000000039C0000-0x00000000039C1000-memory.dmp

            Filesize

            4KB

          • memory/1224-874-0x000000000AE40000-0x000000000AEEF000-memory.dmp

            Filesize

            700KB

          • memory/1224-876-0x0000000003AB0000-0x0000000003B5F000-memory.dmp

            Filesize

            700KB

          • memory/1224-879-0x000000000AE40000-0x000000000AEEF000-memory.dmp

            Filesize

            700KB

          • memory/2972-2-0x0000000000D00000-0x0000000000D8C000-memory.dmp

            Filesize

            560KB

          • memory/2972-155-0x0000000000D00000-0x0000000000D8C000-memory.dmp

            Filesize

            560KB

          • memory/2972-156-0x0000000000D00000-0x0000000000D8C000-memory.dmp

            Filesize

            560KB

          • memory/2972-640-0x0000000000D00000-0x0000000000D8C000-memory.dmp

            Filesize

            560KB

          • memory/2972-682-0x0000000000D00000-0x0000000000D8C000-memory.dmp

            Filesize

            560KB