Analysis

  • max time kernel
    5s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2023, 12:36

General

  • Target

    84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe

  • Size

    1.5MB

  • MD5

    a441561cc8fc071c5f59d97c90cc13f6

  • SHA1

    1d2ba7328ebd85ec060b89e23f5b5ae0ace61784

  • SHA256

    84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6

  • SHA512

    80b0035af398f271c0364400476e3d043a2a12a4e44bdbb255b71aed2f2187bc437c2b4d07a8ccc254c80dcadb746aba010290ff5955f56f1559304fcfc213f1

  • SSDEEP

    12288:kOuW5o/oStsq4CWKKCrZTGF/k8uMxtxPvvzl6yyyRyyyec0:kjSow1qJbKkKF/eMNPjlvc0

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\RpcPing.exe
        "C:\RpcPing.exe"
        2⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:2052
        • C:\Windows\system32\rasdial.exe
          "C:\Windows\system32\rasdial.exe"
          3⤵
            PID:1768
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe
          "C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"
            3⤵
              PID:2964
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 1
                4⤵
                • Delays execution with timeout.exe
                PID:2144

        Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\RpcPing.exe

                Filesize

                29KB

                MD5

                35b321a3cce787a2bb0d77bbf9eee89c

                SHA1

                834e1b69166d7ba967fa613a3d90068125a5b067

                SHA256

                76ce06da4bc59b123e141557e5811680f4a91899ead06fd537981d68e27da07e

                SHA512

                c8c25d0b1e27ab768a31b6697edd93d9fc35585445abb63a0287634346b5aa9bfc534588edc2cc34f2df5fe622438a5192314dd9aa76b4b01c1707b163c0f8b4

              • C:\RpcPing.exe

                Filesize

                29KB

                MD5

                35b321a3cce787a2bb0d77bbf9eee89c

                SHA1

                834e1b69166d7ba967fa613a3d90068125a5b067

                SHA256

                76ce06da4bc59b123e141557e5811680f4a91899ead06fd537981d68e27da07e

                SHA512

                c8c25d0b1e27ab768a31b6697edd93d9fc35585445abb63a0287634346b5aa9bfc534588edc2cc34f2df5fe622438a5192314dd9aa76b4b01c1707b163c0f8b4

              • C:\RpcPing.exe

                Filesize

                29KB

                MD5

                35b321a3cce787a2bb0d77bbf9eee89c

                SHA1

                834e1b69166d7ba967fa613a3d90068125a5b067

                SHA256

                76ce06da4bc59b123e141557e5811680f4a91899ead06fd537981d68e27da07e

                SHA512

                c8c25d0b1e27ab768a31b6697edd93d9fc35585445abb63a0287634346b5aa9bfc534588edc2cc34f2df5fe622438a5192314dd9aa76b4b01c1707b163c0f8b4

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                Filesize

                65KB

                MD5

                ac05d27423a85adc1622c714f2cb6184

                SHA1

                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                SHA256

                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                SHA512

                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              • C:\Users\Admin\AppData\Local\Temp\CabC93A.tmp

                Filesize

                29KB

                MD5

                d59a6b36c5a94916241a3ead50222b6f

                SHA1

                e274e9486d318c383bc4b9812844ba56f0cff3c6

                SHA256

                a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                SHA512

                17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

              • C:\Users\Admin\AppData\Local\Temp\TarC94D.tmp

                Filesize

                81KB

                MD5

                b13f51572f55a2d31ed9f266d581e9ea

                SHA1

                7eef3111b878e159e520f34410ad87adecf0ca92

                SHA256

                725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

                SHA512

                f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

              • C:\Users\Admin\AppData\Local\Temp\TarCBB1.tmp

                Filesize

                171KB

                MD5

                9c0c641c06238516f27941aa1166d427

                SHA1

                64cd549fb8cf014fcd9312aa7a5b023847b6c977

                SHA256

                4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                SHA512

                936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

              • C:\Windows\1DuJEOTB1tHfc.sys

                Filesize

                447KB

                MD5

                21e751fbabec800b8bdb35f9e17ead01

                SHA1

                074675579da30d76c07e3b126c937464e5519dc7

                SHA256

                296bd26d70375772a9febe53d21f9dae5c254a82dc1e9602b3ddb80ab4fee636

                SHA512

                73816e2cfacb7da85032b6b8b848bec6b35ca7fa82b03e5f76e771b1842d126d04ed8e3c332174ce4eb5e10f3b2f08fe82c2b6321befc98db8d7a82e4622f39c

              • C:\Windows\Ktt8orT4phnAh.sys

                Filesize

                415KB

                MD5

                64bc1983743c584a9ad09dacf12792e5

                SHA1

                0f14098f523d21f11129c4df09451413ddff6d61

                SHA256

                057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

                SHA512

                9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

              • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                Filesize

                1KB

                MD5

                a266bb7dcc38a562631361bbf61dd11b

                SHA1

                3b1efd3a66ea28b16697394703a72ca340a05bd5

                SHA256

                df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                SHA512

                0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

              • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                Filesize

                242B

                MD5

                56450d277e2160382e2bb60759a058b3

                SHA1

                80dfabe94a9a48497e3891d2cf422a5a9439c56d

                SHA256

                13b3925078aae787adc58467a1a88df780abe247d6cd6cf9f282388ee0d86d5d

                SHA512

                c23ba8d14b286d6b0c54d5bde7a8f9f78439673821bbc0b0a909921a384532e24f95b76afacf0f040e0bcc8816d101a99511fd26c76074f9766c968eccbc007e

              • C:\Windows\Z3NWZNa8hzR.sys

                Filesize

                415KB

                MD5

                28ccb3d2a0ea9fdcd359602f69b7efb6

                SHA1

                0878427d32dc4acb8be55456959920fb881ed35d

                SHA256

                67f4d0b4694d9df9f952b507ec4a8a75fae566898016dcbfcf7f5677c3158457

                SHA512

                2d324218fe3020f81ac556175060b4c93c04d2eac2a4c8e09fc9d7cb32ca8e636979422bf25be248f0857371071b3afbe48dee12ec797c3568f54f5aab2e6215

              • C:\Windows\x4r9Lo83GmI1Lg.sys

                Filesize

                447KB

                MD5

                d15f5f23df8036bd5089ce8d151b0e0d

                SHA1

                4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

                SHA256

                f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

                SHA512

                feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

              • memory/420-45-0x0000000000870000-0x0000000000898000-memory.dmp

                Filesize

                160KB

              • memory/420-44-0x0000000000870000-0x0000000000898000-memory.dmp

                Filesize

                160KB

              • memory/420-109-0x0000000000870000-0x0000000000898000-memory.dmp

                Filesize

                160KB

              • memory/1228-655-0x0000000000200000-0x0000000000201000-memory.dmp

                Filesize

                4KB

              • memory/1228-665-0x00000000025F0000-0x0000000002712000-memory.dmp

                Filesize

                1.1MB

              • memory/1228-651-0x00000000025F0000-0x0000000002712000-memory.dmp

                Filesize

                1.1MB

              • memory/1228-653-0x0000000000200000-0x0000000000201000-memory.dmp

                Filesize

                4KB

              • memory/1228-649-0x00000000001D0000-0x00000000001D3000-memory.dmp

                Filesize

                12KB

              • memory/1260-144-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-654-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

                Filesize

                4KB

              • memory/1260-19-0x0000000002A60000-0x0000000002A63000-memory.dmp

                Filesize

                12KB

              • memory/1260-664-0x0000000003A60000-0x0000000003A63000-memory.dmp

                Filesize

                12KB

              • memory/1260-663-0x0000000008D80000-0x0000000008EA2000-memory.dmp

                Filesize

                1.1MB

              • memory/1260-645-0x0000000003A60000-0x0000000003A63000-memory.dmp

                Filesize

                12KB

              • memory/1260-18-0x0000000002A60000-0x0000000002A63000-memory.dmp

                Filesize

                12KB

              • memory/1260-22-0x0000000006B60000-0x0000000006C57000-memory.dmp

                Filesize

                988KB

              • memory/1260-652-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

                Filesize

                4KB

              • memory/1260-656-0x0000000008FC0000-0x0000000008FC4000-memory.dmp

                Filesize

                16KB

              • memory/1260-21-0x0000000006B60000-0x0000000006C57000-memory.dmp

                Filesize

                988KB

              • memory/1260-648-0x0000000008D80000-0x0000000008EA2000-memory.dmp

                Filesize

                1.1MB

              • memory/1260-486-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/1260-476-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/1260-81-0x0000000006B60000-0x0000000006C57000-memory.dmp

                Filesize

                988KB

              • memory/1260-235-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-219-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-214-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-137-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-164-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-151-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-171-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/1260-133-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/1768-182-0x0000000001EC0000-0x0000000002066000-memory.dmp

                Filesize

                1.6MB

              • memory/1768-114-0x0000000000170000-0x000000000030C000-memory.dmp

                Filesize

                1.6MB

              • memory/1768-126-0x0000000001EC0000-0x0000000002066000-memory.dmp

                Filesize

                1.6MB

              • memory/1768-180-0x000007FEBD370000-0x000007FEBD380000-memory.dmp

                Filesize

                64KB

              • memory/2052-38-0x0000000001DF0000-0x0000000001EBB000-memory.dmp

                Filesize

                812KB

              • memory/2052-641-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/2052-202-0x0000000005D10000-0x0000000005E32000-memory.dmp

                Filesize

                1.1MB

              • memory/2052-129-0x0000000005D10000-0x0000000005E32000-memory.dmp

                Filesize

                1.1MB

              • memory/2052-107-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-99-0x0000000000870000-0x0000000000898000-memory.dmp

                Filesize

                160KB

              • memory/2052-97-0x0000000036D60000-0x0000000036D70000-memory.dmp

                Filesize

                64KB

              • memory/2052-115-0x0000000004F30000-0x00000000050FA000-memory.dmp

                Filesize

                1.8MB

              • memory/2052-106-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-113-0x0000000004F30000-0x00000000050FA000-memory.dmp

                Filesize

                1.8MB

              • memory/2052-112-0x0000000001EC0000-0x0000000001EEE000-memory.dmp

                Filesize

                184KB

              • memory/2052-105-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-41-0x0000000001DF0000-0x0000000001EBB000-memory.dmp

                Filesize

                812KB

              • memory/2052-37-0x0000000001DF0000-0x0000000001EBB000-memory.dmp

                Filesize

                812KB

              • memory/2052-130-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-40-0x000007FEBDA90000-0x000007FEBDAA0000-memory.dmp

                Filesize

                64KB

              • memory/2052-592-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/2052-179-0x0000000004F30000-0x00000000050FA000-memory.dmp

                Filesize

                1.8MB

              • memory/2052-642-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/2052-111-0x0000000002AC0000-0x0000000002B77000-memory.dmp

                Filesize

                732KB

              • memory/2052-108-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-27-0x0000000000060000-0x0000000000061000-memory.dmp

                Filesize

                4KB

              • memory/2052-33-0x0000000000090000-0x0000000000093000-memory.dmp

                Filesize

                12KB

              • memory/2052-25-0x0000000000160000-0x0000000000223000-memory.dmp

                Filesize

                780KB

              • memory/2052-110-0x00000000005C0000-0x00000000005CF000-memory.dmp

                Filesize

                60KB

              • memory/2052-101-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-100-0x0000000001DF0000-0x0000000001EBB000-memory.dmp

                Filesize

                812KB

              • memory/2052-102-0x0000000001DF0000-0x0000000001EBB000-memory.dmp

                Filesize

                812KB

              • memory/2052-103-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-104-0x0000000000530000-0x0000000000531000-memory.dmp

                Filesize

                4KB

              • memory/2052-643-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

                Filesize

                4KB

              • memory/2052-662-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

                Filesize

                4KB

              • memory/2392-46-0x0000000000D90000-0x0000000000DFE000-memory.dmp

                Filesize

                440KB

              • memory/2392-67-0x0000000000D90000-0x0000000000DFE000-memory.dmp

                Filesize

                440KB

              • memory/2392-0-0x0000000000D90000-0x0000000000DFE000-memory.dmp

                Filesize

                440KB