Analysis

  • max time kernel
    71s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2023, 12:36

General

  • Target

    84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe

  • Size

    1.5MB

  • MD5

    a441561cc8fc071c5f59d97c90cc13f6

  • SHA1

    1d2ba7328ebd85ec060b89e23f5b5ae0ace61784

  • SHA256

    84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6

  • SHA512

    80b0035af398f271c0364400476e3d043a2a12a4e44bdbb255b71aed2f2187bc437c2b4d07a8ccc254c80dcadb746aba010290ff5955f56f1559304fcfc213f1

  • SSDEEP

    12288:kOuW5o/oStsq4CWKKCrZTGF/k8uMxtxPvvzl6yyyRyyyec0:kjSow1qJbKkKF/eMNPjlvc0

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 19 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:624
      • C:\ProgramData\Microsoft\change.exe
        "C:\ProgramData\Microsoft\change.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:240
        • C:\Windows\system32\eudcedit.exe
          "C:\Windows\system32\eudcedit.exe"
          3⤵
            PID:3480
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe
          "C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"
          2⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\84eea0bb5ddd6f31fc4bab990ba958e14f887896a12b7a001d6ab41a32c586f6.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1240
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 1
              4⤵
              • Delays execution with timeout.exe
              PID:1600

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\change.exe

              Filesize

              17KB

              MD5

              b5a2475e90b9970f16c50d392b9a16bb

              SHA1

              0fc5eaafbb93c2d1816f0fed0e1d5b2a3ae57373

              SHA256

              d2df044b73e57cb2ffab4beae33355301b124b7ca45861c683b97d376019d717

              SHA512

              c2afc2ff49a578c67921290d598bff0e5aa0149731b4732d6ecdb3a44e71c3aa20c734e6e63e4ecaeb668f49c168bb1cf2a72d6f711332457b05b7d1fc65b9be

            • C:\ProgramData\Microsoft\change.exe

              Filesize

              17KB

              MD5

              b5a2475e90b9970f16c50d392b9a16bb

              SHA1

              0fc5eaafbb93c2d1816f0fed0e1d5b2a3ae57373

              SHA256

              d2df044b73e57cb2ffab4beae33355301b124b7ca45861c683b97d376019d717

              SHA512

              c2afc2ff49a578c67921290d598bff0e5aa0149731b4732d6ecdb3a44e71c3aa20c734e6e63e4ecaeb668f49c168bb1cf2a72d6f711332457b05b7d1fc65b9be

            • C:\Windows\3M9Sx8SMWqIM.sys

              Filesize

              415KB

              MD5

              b9076ace2d4d707301cc87c5c19817ed

              SHA1

              7eae50f77c3e4eb950f9141ef7e10f8a2f0adc4e

              SHA256

              82896b855e5130eb7a797ed7b6e90773438f9d1bad36f90472cbb505f8466e77

              SHA512

              a6ba8619035db8fe13fc9e5b368a34bf65ce4e5fde23a63a242e024f35727a993fb9d8f8504383ef8a5ad781e2655101b771b9f71e7d31266736191fb509369b

            • C:\Windows\EdKaCzYZfG.sys

              Filesize

              447KB

              MD5

              d15f5f23df8036bd5089ce8d151b0e0d

              SHA1

              4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

              SHA256

              f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

              SHA512

              feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

            • C:\Windows\Ki74vuhGoAzua.sys

              Filesize

              415KB

              MD5

              64bc1983743c584a9ad09dacf12792e5

              SHA1

              0f14098f523d21f11129c4df09451413ddff6d61

              SHA256

              057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

              SHA512

              9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

            • C:\Windows\Y6gBMD7IbrtJE.sys

              Filesize

              447KB

              MD5

              f775833a34b09c2e325c2fd7cfdea344

              SHA1

              0b2bd156c02c1ac93955846e97a4bf967f405a61

              SHA256

              a4a4abd8c223e3f75fac0a82af2c92d7adb5133a1f18e0d5eb9abbcb93fc6803

              SHA512

              d453ed908506e034127c3cfff964d10920b33b80c0f92a6529156238b649c8ffe774e9c66bcfd75bec8eb90e2a69d4bb7d3af2221e15610cf9d8c6038f3c89b8

            • memory/240-70-0x00000269EAE30000-0x00000269EAE31000-memory.dmp

              Filesize

              4KB

            • memory/240-75-0x00000269EB040000-0x00000269EB041000-memory.dmp

              Filesize

              4KB

            • memory/240-14-0x00000269E8DE0000-0x00000269E8DE1000-memory.dmp

              Filesize

              4KB

            • memory/240-15-0x00007FFECC990000-0x00007FFECC9A0000-memory.dmp

              Filesize

              64KB

            • memory/240-13-0x00000269EA730000-0x00000269EA7FB000-memory.dmp

              Filesize

              812KB

            • memory/240-318-0x00000269EAE30000-0x00000269EAE31000-memory.dmp

              Filesize

              4KB

            • memory/240-335-0x00000269EAE30000-0x00000269EAE31000-memory.dmp

              Filesize

              4KB

            • memory/240-138-0x00000269ECBD0000-0x00000269ECCF2000-memory.dmp

              Filesize

              1.1MB

            • memory/240-73-0x00000269ECBD0000-0x00000269ECCF2000-memory.dmp

              Filesize

              1.1MB

            • memory/240-77-0x00000269EB050000-0x00000269EB051000-memory.dmp

              Filesize

              4KB

            • memory/240-82-0x00000269EB060000-0x00000269EB061000-memory.dmp

              Filesize

              4KB

            • memory/240-33-0x00000269EA730000-0x00000269EA7FB000-memory.dmp

              Filesize

              812KB

            • memory/240-34-0x00000269E8DE0000-0x00000269E8DE1000-memory.dmp

              Filesize

              4KB

            • memory/240-11-0x00000269EA730000-0x00000269EA7FB000-memory.dmp

              Filesize

              812KB

            • memory/240-57-0x00007FFECC990000-0x00007FFECC9A0000-memory.dmp

              Filesize

              64KB

            • memory/240-58-0x00000269EB040000-0x00000269EB041000-memory.dmp

              Filesize

              4KB

            • memory/240-63-0x00000269EB040000-0x00000269EB041000-memory.dmp

              Filesize

              4KB

            • memory/240-62-0x00000269EB040000-0x00000269EB041000-memory.dmp

              Filesize

              4KB

            • memory/240-61-0x00000269EB050000-0x00000269EB051000-memory.dmp

              Filesize

              4KB

            • memory/240-60-0x00000269EB060000-0x00000269EB061000-memory.dmp

              Filesize

              4KB

            • memory/240-59-0x00000269EB050000-0x00000269EB051000-memory.dmp

              Filesize

              4KB

            • memory/240-65-0x00000269EB040000-0x00000269EB041000-memory.dmp

              Filesize

              4KB

            • memory/240-64-0x00000269EB450000-0x00000269EB507000-memory.dmp

              Filesize

              732KB

            • memory/240-66-0x00000269EB650000-0x00000269EB65F000-memory.dmp

              Filesize

              60KB

            • memory/240-68-0x00000269EB040000-0x00000269EB041000-memory.dmp

              Filesize

              4KB

            • memory/240-67-0x00000269EBA10000-0x00000269EBA3E000-memory.dmp

              Filesize

              184KB

            • memory/240-69-0x00000269EC840000-0x00000269ECA0A000-memory.dmp

              Filesize

              1.8MB

            • memory/240-317-0x00000269EB6B0000-0x00000269EB6B1000-memory.dmp

              Filesize

              4KB

            • memory/396-328-0x00000202E4040000-0x00000202E4044000-memory.dmp

              Filesize

              16KB

            • memory/396-326-0x00000202E4030000-0x00000202E4031000-memory.dmp

              Filesize

              4KB

            • memory/396-325-0x00000202E3EF0000-0x00000202E4012000-memory.dmp

              Filesize

              1.1MB

            • memory/396-332-0x00000202E3EF0000-0x00000202E4012000-memory.dmp

              Filesize

              1.1MB

            • memory/624-41-0x000001FBC7A50000-0x000001FBC7A51000-memory.dmp

              Filesize

              4KB

            • memory/624-19-0x000001FBC7A20000-0x000001FBC7A48000-memory.dmp

              Filesize

              160KB

            • memory/624-20-0x000001FBC7A50000-0x000001FBC7A51000-memory.dmp

              Filesize

              4KB

            • memory/1736-0-0x0000000000900000-0x000000000096E000-memory.dmp

              Filesize

              440KB

            • memory/1736-30-0x0000000000900000-0x000000000096E000-memory.dmp

              Filesize

              440KB

            • memory/1736-18-0x0000000000900000-0x000000000096E000-memory.dmp

              Filesize

              440KB

            • memory/1736-1-0x0000000000900000-0x000000000096E000-memory.dmp

              Filesize

              440KB

            • memory/3372-31-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

              Filesize

              4KB

            • memory/3372-331-0x0000000008EA0000-0x0000000008FC2000-memory.dmp

              Filesize

              1.1MB

            • memory/3372-336-0x0000000008EA0000-0x0000000008FC2000-memory.dmp

              Filesize

              1.1MB

            • memory/3372-2-0x0000000002E40000-0x0000000002E43000-memory.dmp

              Filesize

              12KB

            • memory/3372-5-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

              Filesize

              4KB

            • memory/3372-321-0x00000000029C0000-0x00000000029C3000-memory.dmp

              Filesize

              12KB

            • memory/3372-74-0x0000000002980000-0x0000000002981000-memory.dmp

              Filesize

              4KB

            • memory/3372-32-0x00000000086C0000-0x00000000087B7000-memory.dmp

              Filesize

              988KB

            • memory/3372-327-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

              Filesize

              4KB

            • memory/3372-303-0x0000000002980000-0x0000000002981000-memory.dmp

              Filesize

              4KB

            • memory/3372-330-0x0000000008FD0000-0x0000000008FD4000-memory.dmp

              Filesize

              16KB

            • memory/3372-3-0x0000000002E40000-0x0000000002E43000-memory.dmp

              Filesize

              12KB

            • memory/3372-6-0x00000000086C0000-0x00000000087B7000-memory.dmp

              Filesize

              988KB

            • memory/3372-324-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

              Filesize

              4KB

            • memory/3480-302-0x0000023C4DB30000-0x0000023C4DB33000-memory.dmp

              Filesize

              12KB

            • memory/3480-304-0x0000023C4F750000-0x0000023C4F8F6000-memory.dmp

              Filesize

              1.6MB

            • memory/3480-316-0x0000023C4F750000-0x0000023C4F8F6000-memory.dmp

              Filesize

              1.6MB