Analysis
-
max time kernel
5s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 12:36
Behavioral task
behavioral1
Sample
84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe
Resource
win7-20231020-en
General
-
Target
84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe
-
Size
1.5MB
-
MD5
a441561cc8fc071c5f59d97c90cc13f6
-
SHA1
1d2ba7328ebd85ec060b89e23f5b5ae0ace61784
-
SHA256
84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6
-
SHA512
80b0035af398f271c0364400476e3d043a2a12a4e44bdbb255b71aed2f2187bc437c2b4d07a8ccc254c80dcadb746aba010290ff5955f56f1559304fcfc213f1
-
SSDEEP
12288:kOuW5o/oStsq4CWKKCrZTGF/k8uMxtxPvvzl6yyyRyyyec0:kjSow1qJbKkKF/eMNPjlvc0
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1260 created 420 1260 Explorer.EXE 3 -
Executes dropped EXE 1 IoCs
pid Process 2052 RpcPing.exe -
resource yara_rule behavioral1/memory/2392-0-0x0000000000D90000-0x0000000000DFE000-memory.dmp upx behavioral1/memory/2392-46-0x0000000000D90000-0x0000000000DFE000-memory.dmp upx behavioral1/memory/2392-67-0x0000000000D90000-0x0000000000DFE000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral1/files/0x000d000000015de1-157.dat vmprotect behavioral1/files/0x0018000000015de1-253.dat vmprotect behavioral1/files/0x0016000000015e30-337.dat vmprotect behavioral1/files/0x0013000000015e70-421.dat vmprotect -
Delays execution with timeout.exe 1 IoCs
pid Process 2144 timeout.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 RpcPing.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings RpcPing.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 RpcPing.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix RpcPing.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" RpcPing.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings RpcPing.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" RpcPing.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections RpcPing.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" RpcPing.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe Token: SeTcbPrivilege 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe Token: SeDebugPrivilege 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe Token: SeDebugPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1260 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 15 PID 2392 wrote to memory of 1260 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 15 PID 2392 wrote to memory of 1260 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 15 PID 2392 wrote to memory of 1260 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 15 PID 2392 wrote to memory of 1260 2392 84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe 15 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29 PID 1260 wrote to memory of 2052 1260 Explorer.EXE 29
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\RpcPing.exe"C:\RpcPing.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2052 -
C:\Windows\system32\rasdial.exe"C:\Windows\system32\rasdial.exe"3⤵PID:1768
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"3⤵PID:2964
-
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:2144
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD535b321a3cce787a2bb0d77bbf9eee89c
SHA1834e1b69166d7ba967fa613a3d90068125a5b067
SHA25676ce06da4bc59b123e141557e5811680f4a91899ead06fd537981d68e27da07e
SHA512c8c25d0b1e27ab768a31b6697edd93d9fc35585445abb63a0287634346b5aa9bfc534588edc2cc34f2df5fe622438a5192314dd9aa76b4b01c1707b163c0f8b4
-
Filesize
29KB
MD535b321a3cce787a2bb0d77bbf9eee89c
SHA1834e1b69166d7ba967fa613a3d90068125a5b067
SHA25676ce06da4bc59b123e141557e5811680f4a91899ead06fd537981d68e27da07e
SHA512c8c25d0b1e27ab768a31b6697edd93d9fc35585445abb63a0287634346b5aa9bfc534588edc2cc34f2df5fe622438a5192314dd9aa76b4b01c1707b163c0f8b4
-
Filesize
29KB
MD535b321a3cce787a2bb0d77bbf9eee89c
SHA1834e1b69166d7ba967fa613a3d90068125a5b067
SHA25676ce06da4bc59b123e141557e5811680f4a91899ead06fd537981d68e27da07e
SHA512c8c25d0b1e27ab768a31b6697edd93d9fc35585445abb63a0287634346b5aa9bfc534588edc2cc34f2df5fe622438a5192314dd9aa76b4b01c1707b163c0f8b4
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
447KB
MD521e751fbabec800b8bdb35f9e17ead01
SHA1074675579da30d76c07e3b126c937464e5519dc7
SHA256296bd26d70375772a9febe53d21f9dae5c254a82dc1e9602b3ddb80ab4fee636
SHA51273816e2cfacb7da85032b6b8b848bec6b35ca7fa82b03e5f76e771b1842d126d04ed8e3c332174ce4eb5e10f3b2f08fe82c2b6321befc98db8d7a82e4622f39c
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD556450d277e2160382e2bb60759a058b3
SHA180dfabe94a9a48497e3891d2cf422a5a9439c56d
SHA25613b3925078aae787adc58467a1a88df780abe247d6cd6cf9f282388ee0d86d5d
SHA512c23ba8d14b286d6b0c54d5bde7a8f9f78439673821bbc0b0a909921a384532e24f95b76afacf0f040e0bcc8816d101a99511fd26c76074f9766c968eccbc007e
-
Filesize
415KB
MD528ccb3d2a0ea9fdcd359602f69b7efb6
SHA10878427d32dc4acb8be55456959920fb881ed35d
SHA25667f4d0b4694d9df9f952b507ec4a8a75fae566898016dcbfcf7f5677c3158457
SHA5122d324218fe3020f81ac556175060b4c93c04d2eac2a4c8e09fc9d7cb32ca8e636979422bf25be248f0857371071b3afbe48dee12ec797c3568f54f5aab2e6215
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9