Overview

overview

7

Static

static

7

dirote.exe

windows7-x64

7

dirote.exe

windows10-2004-x64

7

f1ght.exe

windows7-x64

7

f1ght.exe

windows10-2004-x64

7

ger.exe

windows7-x64

7

ger.exe

windows10-2004-x64

7

kfolder.js

windows7-x64

1

kfolder.js

windows10-2004-x64

1

xsiger.bat

windows7-x64

7

xsiger.bat

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dirote.exe

  • Size

    553KB

  • MD5

    9f23422d7bae3427c8965ac9885f6d68

  • SHA1

    aed90ec64afb218feb7f0d5352447d97c2a81eb5

  • SHA256

    71db8f9557954bb1f0d5ecc9b1fe7ddd9d23f3e505bcf6a41c86f2b93e4ba787

  • SHA512

    14fe187a2d891427301f515add10ae740792b24e2f45960271632650e5cd4b3f258fd3335a78444b4df68e23665866cf536bc361dd6d5690ddca03fd1e19620a

  • SSDEEP

    12288:LluLKVDZI1aXnlFpAiITAUXLkE0KK53REtAAzTCcvx5BaL:LzDZwaeiIMuLkZ1Ri/qkn0L

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 40 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dirote.exe
    "C:\Users\Admin\AppData\Local\Temp\dirote.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\f1ght.exe
      "C:\Users\Admin\AppData\Local\Temp\f1ght.exe" xsiger.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c xsiger.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Users\Admin\AppData\Local\Temp\ger.exe
          ger ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\sxpzoolkxd=C:\Users\Admin\AppData\Local\Temp\f1ght.exe C:\Users\Admin\AppData\Local\Temp\dirote.exe"
          4⤵
          • Adds Run key to start application
          PID:3996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\redroses
    Filesize

    2KB

    MD5

    0d7ee815e4d7dfa077337095f2106750

    SHA1

    c80c8a69860bc31e698ad171c86a4b794284a919

    SHA256

    277510f5e16b944793b10f0d55c903568d10ef8819525a02c0aef31d8c4246b7

    SHA512

    6d1cff56d10029ca46f4ab3a519ea5c7e71e59c032507485db73ae2127cfee1891497564771e09aae0e639c6a0e3171bb61906db53c8cc50605f88c854bd50a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\redroses
    Filesize

    2KB

    MD5

    bc7b885f6198f3fca727b01798c4f7a7

    SHA1

    a7bab1cacf4af77915ecadee7fda348898f985d7

    SHA256

    70eebe91ab4d70e0d5517cfc9df5d3f407b863b8cf8e5df83bd62a26ef06b308

    SHA512

    6b26839e788ceda59b1c7e7627c0977a38552d888242aed32aa22889513c5e45b93f6d40843168c74876bbcc8a8b788b73d8d07348a6a170f233771d388ac5bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\redroses
    Filesize

    2KB

    MD5

    0b1b75cf8e76d2eba6cceda49f2104b5

    SHA1

    f5d461e865fcadbd7996bc752ea24bbefd66550e

    SHA256

    b65ddf1b60c11f798cf58f5da6df7dcb9b1da0fd8b946935c4ee0873224af6ab

    SHA512

    27554eb73cc953006e861b336090ba7700706f42e9c051c9930aaaa1b19166dbcebcc4efcbce43913fc249b44c1d7c4c43b6f5c5d2fb488dddca32459eb40404

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\redroses
    Filesize

    2KB

    MD5

    e34ae6f7ca0cb43d463db278775ba054

    SHA1

    8a91aa956244468506a51342716aabe9b386f599

    SHA256

    423240bff18c61cfcc48524f56809b20bf5184d0c872a15230bc2a6141a97961

    SHA512

    5ae1236a01bdeb5348fde31580b5d6fdc0d2bcf6c24f5f53f4622810b25a03a6c39b3bc7a384ae90374189fe94012aec2bff1119b405376969f90fa1e1a2e52f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xsiger.bat
    Filesize

    176B

    MD5

    4dd31177d8a4b8312bd1c2067f73ef5a

    SHA1

    b917837c38cdc2ac2f7982b5d3cbb5d27764798f

    SHA256

    cf93db5f41fc73bf21013fff27eeac189861a471b2b3844afa744c59ae5c96db

    SHA512

    cb4bf024b4527caead8c1da0da7b44b534dfce3a20f30e9c9037bc0d9357bcb852c41b23f11d34a762a00f928e0eae18b0775c8f313128d734f92d7b33c356cb

    Download Submit

  • memory/1908-228-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3672-0-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3672-169-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3672-227-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3672-229-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3996-231-0x0000000001000000-0x0000000001031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3996-232-0x0000000001000000-0x0000000001031000-memory.dmp

    Filesize

    196KB

    Download