Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2023, 12:31

General

  • Target

    d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe

  • Size

    274KB

  • MD5

    3770d583b1a66fa8ca3a9f92ed60b353

  • SHA1

    5227742ceb4796e724d7f8e7e8cd67fab764f864

  • SHA256

    d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8

  • SHA512

    83bd1f44c257775d957525801abf687f514995d0ebd84361c0bed1b7e19208704be5d87a76b08a71aa9dff5e79cf8e114f82b30cc6af7acfb619945b4e297023

  • SSDEEP

    6144:ZbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:ZPcrfR6ZnOkx2LIa

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:632
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:332
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe
        "C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d8b6d30644f20bbad256f8083b4bcb799b5decfa6b4c6bf7d48fea2e51a5a6a8.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5024
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:3984

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            2KB

            MD5

            9ba47a279b7950e198b6076171704bd8

            SHA1

            2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab

            SHA256

            1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6

            SHA512

            d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            1KB

            MD5

            b3e886f0a26b67c1234b30c755341758

            SHA1

            8a881fb559672e95834def740fc5ba017879b0db

            SHA256

            808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f

            SHA512

            66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            599B

            MD5

            3fefedd2d651734aab0aff2f8161db56

            SHA1

            eda0d013d0db080e6477965234bf4db2aceb215e

            SHA256

            4a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01

            SHA512

            0ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

            Filesize

            484B

            MD5

            ae6833043329ae231c5b448609256159

            SHA1

            80376c2ae86e29419115f6627ba60f3fb571bd86

            SHA256

            04f928644e4219c04dfd357c9bab6394dc6470268e5a22625050d31105b0496e

            SHA512

            0f77d31f19dc2f3aaef49402c0140196538a50636a9627dbf69c5d1b3a0b982ec7f08ff027f0ec37b0ce622d86cb605f3eec0724ebc97bbb7088e2a171453f9d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

            Filesize

            482B

            MD5

            978ecd6c9c9744f7af39d017b24a1be6

            SHA1

            7bf39547f4fc2b1e6c14c2dffc1de5133337e654

            SHA256

            7e08cfb38a3c28596dc6baa3339c17d32a4e5d3f6f2a994ca574c85b8f088564

            SHA512

            76b59484b2bd375839a3383c37a33a22f182a6e90bb07941f534e568cb7f0055a27305cb3ce50fe459a104cb8da803a50f83250859ad034ecb692ad658b57fa9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

            Filesize

            504B

            MD5

            5e581fbead4712c9a3f168e844fca310

            SHA1

            32a6add5dde11a8d0fdd4f21896f2f30c5f6a775

            SHA256

            7500528923c5ffe42d033eff3661d0865c38e1128d8e1c9f3acba3e76c07ff80

            SHA512

            0cf5a405bcd07cdc95d6d4d0a415418018318a0f95cb657b6eb546a6b1b37bba16fb1e8acfd5d4f5d89f8d966de4bd1f37d0a144f15ca800e2081b21df2662c5

          • C:\Windows\CP2cZAAZhct.sys

            Filesize

            447KB

            MD5

            d15f5f23df8036bd5089ce8d151b0e0d

            SHA1

            4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

            SHA256

            f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

            SHA512

            feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

          • C:\Windows\MbDsrriniWEuVL.sys

            Filesize

            415KB

            MD5

            64bc1983743c584a9ad09dacf12792e5

            SHA1

            0f14098f523d21f11129c4df09451413ddff6d61

            SHA256

            057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

            SHA512

            9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

          • C:\Windows\WEsEbbFbp3iyBr.sys

            Filesize

            415KB

            MD5

            a26ae0003789b5d75eb137c74c78def5

            SHA1

            99f378e99b0108b4fb64f833168b6de01c270999

            SHA256

            7938ff93eb069d2eec85f684756ad281c8f7b2a4347d1af54623cdcd847e1928

            SHA512

            cb0d4ae912bf74a173e38f81afe8989c9ac2661b698b06394c81cd70e0171cd9b6d48b2614094327042d8efa4c874d4394fe2e172a0cfe4a4cbe703b9e8849e2

          • C:\Windows\qbsIAfDLHU.sys

            Filesize

            447KB

            MD5

            f7dfe1084650949c52c95870b436b2e5

            SHA1

            f74784bdfd8749c3fd21cef27af46d09fc591bcb

            SHA256

            e5173f1190e94b0d6bad6bd01724c7100d77cce071e27f22de8480d75c439053

            SHA512

            65b7b3708d1f0b56d3b6dc5ff245585710401f9155210a5a25f7aa3720720988e3865c2e3096a0c590841e20f384f0e1fe135acc34ce10e07eb2231138442004

          • memory/332-198-0x0000024063920000-0x0000024063923000-memory.dmp

            Filesize

            12KB

          • memory/332-218-0x0000024063940000-0x00000240639EF000-memory.dmp

            Filesize

            700KB

          • memory/332-216-0x0000024063A00000-0x0000024063A01000-memory.dmp

            Filesize

            4KB

          • memory/332-212-0x00000240642B0000-0x000002406435F000-memory.dmp

            Filesize

            700KB

          • memory/332-199-0x0000024063A00000-0x0000024063A01000-memory.dmp

            Filesize

            4KB

          • memory/332-201-0x0000024063940000-0x00000240639EF000-memory.dmp

            Filesize

            700KB

          • memory/332-202-0x0000024063B00000-0x0000024063B01000-memory.dmp

            Filesize

            4KB

          • memory/332-197-0x0000024063920000-0x0000024063923000-memory.dmp

            Filesize

            12KB

          • memory/632-33-0x00000201C3CC0000-0x00000201C3CE8000-memory.dmp

            Filesize

            160KB

          • memory/3120-211-0x0000000002F70000-0x0000000002F71000-memory.dmp

            Filesize

            4KB

          • memory/3120-72-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

          • memory/3120-69-0x00000000026C0000-0x00000000026C1000-memory.dmp

            Filesize

            4KB

          • memory/3120-68-0x00000000084B0000-0x0000000008561000-memory.dmp

            Filesize

            708KB

          • memory/3120-25-0x00000000084B0000-0x0000000008561000-memory.dmp

            Filesize

            708KB

          • memory/3120-81-0x0000000009070000-0x000000000911F000-memory.dmp

            Filesize

            700KB

          • memory/3120-71-0x00000000026F0000-0x00000000026F1000-memory.dmp

            Filesize

            4KB

          • memory/3120-31-0x00000000026B0000-0x00000000026B1000-memory.dmp

            Filesize

            4KB

          • memory/3120-26-0x0000000002690000-0x0000000002693000-memory.dmp

            Filesize

            12KB

          • memory/3120-70-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

          • memory/3120-29-0x00007FF8E21E0000-0x00007FF8E21F0000-memory.dmp

            Filesize

            64KB

          • memory/3120-27-0x00000000084B0000-0x0000000008561000-memory.dmp

            Filesize

            708KB

          • memory/3120-24-0x0000000002690000-0x0000000002693000-memory.dmp

            Filesize

            12KB

          • memory/3120-22-0x0000000002690000-0x0000000002693000-memory.dmp

            Filesize

            12KB

          • memory/3120-219-0x000000000D140000-0x000000000D1EF000-memory.dmp

            Filesize

            700KB

          • memory/3120-217-0x0000000009230000-0x0000000009234000-memory.dmp

            Filesize

            16KB

          • memory/3120-73-0x00000000026C0000-0x00000000026C1000-memory.dmp

            Filesize

            4KB

          • memory/3120-74-0x00000000026C0000-0x00000000026C1000-memory.dmp

            Filesize

            4KB

          • memory/3120-200-0x0000000002D40000-0x0000000002D41000-memory.dmp

            Filesize

            4KB

          • memory/3120-75-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

          • memory/3120-220-0x0000000002F70000-0x0000000002F71000-memory.dmp

            Filesize

            4KB

          • memory/3120-196-0x0000000002D40000-0x0000000002D41000-memory.dmp

            Filesize

            4KB

          • memory/3120-203-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

          • memory/3120-213-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

          • memory/3120-76-0x00000000026B0000-0x00000000026B1000-memory.dmp

            Filesize

            4KB

          • memory/3120-66-0x00007FF8E21E0000-0x00007FF8E21F0000-memory.dmp

            Filesize

            64KB

          • memory/3120-210-0x000000000D140000-0x000000000D1EF000-memory.dmp

            Filesize

            700KB

          • memory/3120-209-0x00000000026F0000-0x00000000026F1000-memory.dmp

            Filesize

            4KB

          • memory/3120-207-0x00000000026C0000-0x00000000026C1000-memory.dmp

            Filesize

            4KB

          • memory/3120-214-0x00007FF61DDD0000-0x00007FF61DDD1000-memory.dmp

            Filesize

            4KB

          • memory/3120-215-0x0000000009070000-0x000000000911F000-memory.dmp

            Filesize

            700KB

          • memory/3120-67-0x00000000026C0000-0x00000000026C1000-memory.dmp

            Filesize

            4KB

          • memory/4600-28-0x00000000009C0000-0x0000000000A4C000-memory.dmp

            Filesize

            560KB

          • memory/4600-56-0x00000000009C0000-0x0000000000A4C000-memory.dmp

            Filesize

            560KB

          • memory/4600-0-0x00000000009C0000-0x0000000000A4C000-memory.dmp

            Filesize

            560KB

          • memory/4600-15-0x00000000009C0000-0x0000000000A4C000-memory.dmp

            Filesize

            560KB