Analysis
-
max time kernel
34s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 12:31
Behavioral task
behavioral1
Sample
d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe
Resource
win7-20231023-en
General
-
Target
d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe
-
Size
274KB
-
MD5
3770d583b1a66fa8ca3a9f92ed60b353
-
SHA1
5227742ceb4796e724d7f8e7e8cd67fab764f864
-
SHA256
d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8
-
SHA512
83bd1f44c257775d957525801abf687f514995d0ebd84361c0bed1b7e19208704be5d87a76b08a71aa9dff5e79cf8e114f82b30cc6af7acfb619945b4e297023
-
SSDEEP
6144:ZbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:ZPcrfR6ZnOkx2LIa
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2972-2-0x0000000000D00000-0x0000000000D8C000-memory.dmp upx behavioral1/memory/2972-155-0x0000000000D00000-0x0000000000D8C000-memory.dmp upx behavioral1/memory/2972-156-0x0000000000D00000-0x0000000000D8C000-memory.dmp upx behavioral1/memory/2972-640-0x0000000000D00000-0x0000000000D8C000-memory.dmp upx behavioral1/memory/2972-682-0x0000000000D00000-0x0000000000D8C000-memory.dmp upx -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
resource yara_rule behavioral1/files/0x000a00000001644c-729.dat vmprotect behavioral1/files/0x0014000000016594-757.dat vmprotect behavioral1/files/0x0013000000016611-785.dat vmprotect behavioral1/files/0x0016000000016594-819.dat vmprotect -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\err_2972.log d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2720 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2972 d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe 2972 d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe 2972 d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2972 d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe Token: SeTcbPrivilege 2972 d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"1⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"2⤵PID:2648
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 11⤵
- Delays execution with timeout.exe
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize2KB
MD59ba47a279b7950e198b6076171704bd8
SHA12d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA2561d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5b3e886f0a26b67c1234b30c755341758
SHA18a881fb559672e95834def740fc5ba017879b0db
SHA256808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA51266f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524
-
Filesize
599B
MD53fefedd2d651734aab0aff2f8161db56
SHA1eda0d013d0db080e6477965234bf4db2aceb215e
SHA2564a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA5120ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize484B
MD5f4bae28f6c27ac2939a2754ac6e39eb5
SHA1cb660ea05989126263497854a6425589f66046f4
SHA256715ef083b8e9fdcb5b7d82228b4e27d81ad6865407bda78a2d4435f64db8ba44
SHA5120dd7252e1770c9fb616099f49ec885341fce928124e0977622117a172b1257d52e3bcc6c702347a29bb9e7472153913c367b1c425e704bca0928dabb2ac69458
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52a778200afd260cf95c3c347d89e1f70
SHA12822fd32347c507fbe8e1227b0f2db71dae29c5c
SHA2569769967e537a56a4d3b4ba592268af2befebfc597a6e0610647353b1189f88ab
SHA5120e42c3dc37f9ce8df036be68b9786d5252f4356dc019ad7186947a1b779b0dc9c434bb1a6485b84d4c0a32e62db092296ebc60241856784555f8237fbf971629
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD51cb60baade60395b180cff592e18c6b0
SHA185f55bf8cd7ce28e7db9bea66830fce37a2e1e4c
SHA25661c281a1db2ff28b26beeafe98d8c05a140837572b2ecb542460fe0729ea1012
SHA512bc5fc9d4769e84fdfd67e7262d8461969a1911712981227c58ae2127bd4ac08a54a56ee340ec9bb4abd7b5f0cfd7874542807b83e2ba733dfff645f616a16bf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4
Filesize504B
MD5a94ba2fbadef7e0d765f09a855914a73
SHA17bb4b4e56fd2fc27c2b9072a720bd6d47ea39429
SHA256cf1301a175c767e7eeb0b2cefbfed9eea01376188eea9119f685953a490730b4
SHA512e684b93ceb62dd175aa7b24a1d753c2877ff4be464f5d37d9ecf3a87b6794396805c65c3c0f94e979b2c43d50c2079253603ff03e2d821e9c2e6bcdd4ae5e529
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
415KB
MD5ae8b0f6f21de8de2314a2ff74e8fe49c
SHA176eb2832d27a0eddfd205a7ebe6469da60f3d82f
SHA25661b87eaafbc5e4009de526d3562c19e9bc41a0a31cb76606606902c59dabec5a
SHA512d46a19f4bbcf32770e8c77c059229d4d962156099759a4e7d12a7b9d61cb5629ef1e954a86397645c4f3ad7981c4932611cc7c07da633ba029b7de5829f693e8
-
Filesize
447KB
MD5eb2688a5d3f60b3749fc4db6269e09d7
SHA1a15107f1c1393bc1d8bb445053a7587195238871
SHA2561088684f02079ed67f61203e0f5932484b436e790dfb8a43d17cffcf035c2aa9
SHA5129904c7dafceda71e15da14653a0eac9623ede4cd88f54a6be0ce9d19a9b2730491b0ab0044a31de996edef12a1ae5697906de6a9bd3678814bc4026b62570ca5
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9