8dc8690323b9905db8c8b68d47287ca9aa6c1c3793afd882e085da5020d9b7c2

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cdd56ad474ebef40f70b209d6bb5415.exe
Size

300KB
MD5

3cdd56ad474ebef40f70b209d6bb5415
SHA1

7f03cfa41b6abe440738a2c824b67b1ec16c7205
SHA256

8dc8690323b9905db8c8b68d47287ca9aa6c1c3793afd882e085da5020d9b7c2
SHA512

b925fe7e3bacac9042636fd6fb5bf57d90aa17847d88caf6a7edc411f759178d225c8d0da0c13a380892cc888ebe46608a4eb21c3925746905c1df4fa466bb2a
SSDEEP

6144:lxcGs0RLkFpzB/Zz92IzuSqVkATxeBVmLotzbE3r9yDQvM:BRLkfzBRR2+akFvmLot/E3g80

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NPKEventRemoteLog\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcore9.dll"	3cdd56ad474ebef40f70b209d6bb5415.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	svchost.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.240.193.11
Destination IP	67.43.161.221
Destination IP	67.43.173.8
Destination IP	67.43.173.8
Destination IP	202.30.143.11
Destination IP	203.240.193.11
Destination IP	67.43.173.7
Destination IP	67.43.173.7
Destination IP	203.240.193.11
Destination IP	202.30.143.11

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2324-30-0x0000000001A10000-0x0000000001A27000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npkcore9.dll	3cdd56ad474ebef40f70b209d6bb5415.exe
File created	C:\Windows\SysWOW64\npkcore9.dll	3cdd56ad474ebef40f70b209d6bb5415.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
916	3cdd56ad474ebef40f70b209d6bb5415.exe
916	3cdd56ad474ebef40f70b209d6bb5415.exe
2324	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	916	3cdd56ad474ebef40f70b209d6bb5415.exe
Token: SeDebugPrivilege	916	3cdd56ad474ebef40f70b209d6bb5415.exe
Token: SeDebugPrivilege	916	3cdd56ad474ebef40f70b209d6bb5415.exe
Token: SeDebugPrivilege	916	3cdd56ad474ebef40f70b209d6bb5415.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1144	916	3cdd56ad474ebef40f70b209d6bb5415.exe	20
PID 916 wrote to memory of 1144	916	3cdd56ad474ebef40f70b209d6bb5415.exe	20
PID 916 wrote to memory of 1144	916	3cdd56ad474ebef40f70b209d6bb5415.exe	20

C:\Users\Admin\AppData\Local\Temp\3cdd56ad474ebef40f70b209d6bb5415.exe
"C:\Users\Admin\AppData\Local\Temp\3cdd56ad474ebef40f70b209d6bb5415.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240601906.bat
  2⤵
  PID:1144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\npkcore9.dll

Filesize
92KB

MD5
01f2230eb5932e04c0301a68022b9d66

SHA1
0faa87b293dd9de73cb1f10027a846c14e8d096d

SHA256
08fa122e85125f0ae4ffdbfacc22d3bbad4368f2e79ab6c2f9cb11181decaa6b

SHA512
63608bc00c2c8bd17aba73f6dce0922ab71436ccc95232987fb86bdb35e4b1ceda241de54f5f6eaa725431b0249f19a9cba88a00eb131c6ad3344f157c4fd813

Download Submit
\??\c:\windows\SysWOW64\npkcore9.dll

Filesize
212KB

MD5
230be104dc38d7f63793602c5e27ff8f

SHA1
f304dd54c3362524b2f6a997e84160c71ae40e48

SHA256
8aa166be69cdcaba12bd3d70a06af8e3717d06372dd39b9812050f304d4147de

SHA512
2c141dcb2333080abe1077096d183875d7cfde6fa9d55506414e86c11c2ab5f244d9fa4c48dcea8e59586d680f460d19019d3db6e8e6c3efb9109134a9fc72ce

Download Submit
memory/916-24-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/916-1-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/916-4-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/916-15-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/916-11-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/916-26-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/916-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2324-30-0x0000000001A10000-0x0000000001A27000-memory.dmp

Filesize
92KB

Download
memory/2324-27-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2324-55-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2324-56-0x0000000001000000-0x0000000001200000-memory.dmp

Filesize
2.0MB

Download
memory/2324-58-0x0000000001000000-0x0000000001200000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads