Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 07:34

General

  • Target

    b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe

  • Size

    95KB

  • MD5

    dae39904d892c7cfaaa95bfa50a7b976

  • SHA1

    296d813c666e50c1816b7a77546a6ac93b826ceb

  • SHA256

    b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b

  • SHA512

    83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0

  • SSDEEP

    1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU6m:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/Ah

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe
    "C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\WINDOWS\VWFLH\rMX.exe
      C:\WINDOWS\VWFLH\rMX.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo 0>>c:\windows\nk.txt
        3⤵
        • Drops file in Windows directory
        PID:356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3404
        • C:\WINDOWS\VWFLH\rMX.exe.exe
          C:\WINDOWS\VWFLH\rMX.exe.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3840
          • C:\WINDOWS\VWFLH\rMX.exe
            C:\WINDOWS\VWFLH\rMX.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\WINDOWS\VWFLH\rMX.exe
              C:\WINDOWS\VWFLH\rMX.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4660
            • C:\WINDOWS\VWFLH\rMX.exe
              C:\WINDOWS\VWFLH\rMX.exe
              6⤵
              • Executes dropped EXE
              PID:4064
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 80
                7⤵
                • Program crash
                PID:1696
            • C:\WINDOWS\VWFLH\rMX.exe
              C:\WINDOWS\VWFLH\rMX.exe
              6⤵
              • Executes dropped EXE
              PID:2196
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 80
                7⤵
                • Program crash
                PID:2300
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\64.vbs
            5⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3512
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\64.vbs"
              6⤵
                PID:1172
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\13.vbs
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\13.vbs"
          3⤵
          • Deletes itself
          PID:1188
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2196 -ip 2196
      1⤵
        PID:1928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4064 -ip 4064
        1⤵
          PID:3500

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\13.vbs

          Filesize

          236B

          MD5

          4fc553bf0fd7a436b104a162d998a5e1

          SHA1

          8e034bf7ef81ff8e38941b63e216adc0158617fd

          SHA256

          8f341f682c7f5f5c237ef717781249ac8db6e59ccffae2de26e2f498af3e61fb

          SHA512

          b8e597e70198b5a5ef20cb9d1d6e7d6fb2a80a6edcc0ff882ade30de29394aadaf9aaf9ef298b40b5dc988a791e5eb55e8e1628f9ab144f5bff6b673a69287ca

        • C:\64.vbs

          Filesize

          162B

          MD5

          1b17358618f4d20e00ba6f2eeb9aab03

          SHA1

          cca9115ee97eb54bd2a82ea156bbf8ab62a472c9

          SHA256

          921afc09aa5117b83222e3c17495838aaddad9f2194ffc0b854a17e4743af420

          SHA512

          a438b0a902232d2c57e7d2144e57117d77a912ff1b826b7c0668fb0225f342ea2696efc9901d1cc050e8580bc6aaaf36ae2bde5b08e931fb7e982543d66c9515

        • C:\Windows\VWFLH\rMX.exe

          Filesize

          95KB

          MD5

          dae39904d892c7cfaaa95bfa50a7b976

          SHA1

          296d813c666e50c1816b7a77546a6ac93b826ceb

          SHA256

          b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b

          SHA512

          83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0

        • C:\Windows\VWFLH\rMX.exe.exe

          Filesize

          95KB

          MD5

          acda0d5dd519bb7600d6d35af3c8b189

          SHA1

          d103ce109869c19dd037e4348eca6e7dfa3d0b0b

          SHA256

          f400c75f1d91dadb03ef03d6e2dbe9e71042794aba8e9a8b278c02bb235a260d

          SHA512

          02b336079436fae2db16780f4d79ade1da9b8b0617a02980f49d34ce200b56efd13525e5f9737ebc4b7c454d48d04b5999f77c68b9b857d8baae9ff056243f03

        • memory/1204-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/1488-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/2268-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/3840-35-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/4660-22-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/4660-29-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/4660-34-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/4660-33-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/4660-20-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/4660-21-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB