469d9d4815a2a5ef207f9c4ad6bafc7d8c1cfba3d432862961895f6d4fffac8f

Resubmissions

14/05/2024, 01:24

240514-bsgbzsea94 7

13/05/2024, 21:44

240513-1lq1aaeh5t 7

Analysis

max time kernel
285s
max time network
287s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

YVLHFAC#XJFDRAZNVUHA.zip
Size

5.5MB
MD5

a460244a631b1b934fef9d75ecb55695
SHA1

7b2361caa0590e2d5888026c727f79f8c3e41011
SHA256

469d9d4815a2a5ef207f9c4ad6bafc7d8c1cfba3d432862961895f6d4fffac8f
SHA512

521e009cf18f29ee598357aff7079e9d1f946d9bb3d367b9e0ef85e883cf9402ace8e8f247a2219a150ff003c79ecb6f6c6995a0145264ce11331189020d4142
SSDEEP

98304:0xjko9kyYh6IGWLpcE70C9FYS8q42fB3PnfPMSAjOb83bgwbDbflc2hx0c+bwwv/:0J5EOE70C9GL2flkOY3kwbVxAfn

Score

7^/10

execution persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
4692	ModemWavexkpDialProX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HPMactoolsSingleUpdaterqxHFkuP$DsvD_u;e2($+euqx = "C:\\ProgramData\\DialZoomcbptModemFlexMax\\ModemWavexkpDialProX.exe /runas"	ModemWavexkpDialProX.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ip-api.com
92	ip-api.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4696	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4692	ModemWavexkpDialProX.exe
4696	powershell.exe
4696	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3556	7zG.exe
Token: 35	3556	7zG.exe
Token: SeSecurityPrivilege	3556	7zG.exe
Token: SeSecurityPrivilege	3556	7zG.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeShutdownPrivilege	4692	ModemWavexkpDialProX.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3556	7zG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
4504	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4692	2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe	110
PID 2632 wrote to memory of 4692	2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe	110
PID 2632 wrote to memory of 4692	2632	VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe	110
PID 4692 wrote to memory of 3276	4692	ModemWavexkpDialProX.exe	119
PID 4692 wrote to memory of 3276	4692	ModemWavexkpDialProX.exe	119
PID 4692 wrote to memory of 3276	4692	ModemWavexkpDialProX.exe	119
PID 3276 wrote to memory of 4696	3276	cmd.exe	121
PID 3276 wrote to memory of 4696	3276	cmd.exe	121
PID 3276 wrote to memory of 4696	3276	cmd.exe	121

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\YVLHFAC#XJFDRAZNVUHA.zip
1⤵
PID:464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\YVLHFAC#XJFDRAZNVUHA\" -spe -an -ai#7zMap14848:98:7zEvent22276
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3556

C:\Users\Admin\Desktop\YVLHFAC#XJFDRAZNVUHA\VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe
"C:\Users\Admin\Desktop\YVLHFAC#XJFDRAZNVUHA\VXEGZHBFCFDI_JZXLIDedalles_FEPHDOC#_TSBG.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\ProgramData\DialZoomcbptModemFlexMax\ModemWavexkpDialProX.exe
  "C:\ProgramData\DialZoomcbptModemFlexMax\ModemWavexkpDialProX.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name HPMactoolsSingleUpdaterqxHFkuP$DsvD_u;e2($+euqx -Value 'C:\ProgramData\DialZoomcbptModemFlexMax\ModemWavexkpDialProX.exe /runas'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name HPMactoolsSingleUpdaterqxHFkuP$DsvD_u;e2($+euqx -Value 'C:\ProgramData\DialZoomcbptModemFlexMax\ModemWavexkpDialProX.exe /runas'""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tz20c4rn.adj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\DialZoomcbptModemFlexMax\ZbqrzJnirkxcQvnyCebK.cfg

Filesize
1KB

MD5
4abecb7d0eb621a8e185e519acb8ce97

SHA1
b584851a429f0896fa9584f2cf6436c4789cd3ac

SHA256
63f38e5336588bc7f5f1ff706a28d079ee40fb93ba9340e774a51e7d18319557

SHA512
49bf69bc98f08ca05dfbf7f3fccc4dee5686c3a51db945e351eb28d872903e6f9c974a2d373509a69ea05ed4029fd6a13c6d5ba9c063d65ba689817084d02f34

Download Submit
memory/2632-7-0x0000000000E30000-0x0000000001E30000-memory.dmp

Filesize
16.0MB

Download
memory/2632-215-0x0000000000E30000-0x0000000001E30000-memory.dmp

Filesize
16.0MB

Download
memory/2632-227-0x0000000000E30000-0x0000000001E30000-memory.dmp

Filesize
16.0MB

Download
memory/2632-229-0x0000000000E30000-0x0000000001E30000-memory.dmp

Filesize
16.0MB

Download
memory/2632-6-0x0000000000E30000-0x0000000001E30000-memory.dmp

Filesize
16.0MB

Download
memory/4692-315-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-346-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-274-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-284-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-291-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-301-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-308-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-232-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-325-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-332-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-339-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-233-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-356-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-363-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-390-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-228-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4696-371-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/4696-383-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4696-378-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4696-377-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/4696-370-0x0000000005210000-0x0000000005838000-memory.dmp

Filesize
6.2MB

Download
memory/4696-384-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4696-385-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/4696-369-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

Filesize
216KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads