Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe
Resource
win10v2004-20240426-en
General
-
Target
b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe
-
Size
95KB
-
MD5
dae39904d892c7cfaaa95bfa50a7b976
-
SHA1
296d813c666e50c1816b7a77546a6ac93b826ceb
-
SHA256
b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b
-
SHA512
83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0
-
SSDEEP
1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU6m:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/Ah
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation cmd.exe -
Deletes itself 1 IoCs
pid Process 1188 WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2268 rMX.exe 3840 rMX.exe.exe 1488 rMX.exe 4660 rMX.exe 4064 rMX.exe 2196 rMX.exe -
resource yara_rule behavioral2/memory/4660-22-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/4660-29-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/4660-34-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/4660-33-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/4660-20-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/4660-21-0x0000000010000000-0x000000001002A000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1488 set thread context of 4660 1488 rMX.exe 91 PID 1488 set thread context of 4064 1488 rMX.exe 92 PID 1488 set thread context of 2196 1488 rMX.exe 93 -
Drops file in Windows directory 9 IoCs
description ioc Process File created \??\c:\windows\rMX.exe.bat rMX.exe File opened for modification \??\c:\windows\nk.txt cmd.exe File created C:\WINDOWS\VWFLH\rMX.exe rMX.exe.exe File created \??\c:\windows\rMX.exe.bat rMX.exe File created C:\WINDOWS\VWFLH\rMX.exe.exe rMX.exe File opened for modification C:\WINDOWS\VWFLH\rMX.exe.exe rMX.exe File opened for modification C:\WINDOWS\VWFLH\rMX.exe rMX.exe.exe File created C:\WINDOWS\VWFLH\rMX.exe b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe File opened for modification C:\WINDOWS\VWFLH\rMX.exe b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2300 2196 WerFault.exe 1696 4064 WerFault.exe 92 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4660 rMX.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2268 1204 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe 82 PID 1204 wrote to memory of 2268 1204 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe 82 PID 1204 wrote to memory of 2268 1204 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe 82 PID 2268 wrote to memory of 356 2268 rMX.exe 83 PID 2268 wrote to memory of 356 2268 rMX.exe 83 PID 2268 wrote to memory of 356 2268 rMX.exe 83 PID 2268 wrote to memory of 3404 2268 rMX.exe 84 PID 2268 wrote to memory of 3404 2268 rMX.exe 84 PID 2268 wrote to memory of 3404 2268 rMX.exe 84 PID 1204 wrote to memory of 4340 1204 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe 85 PID 1204 wrote to memory of 4340 1204 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe 85 PID 1204 wrote to memory of 4340 1204 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe 85 PID 3404 wrote to memory of 3840 3404 cmd.exe 89 PID 3404 wrote to memory of 3840 3404 cmd.exe 89 PID 3404 wrote to memory of 3840 3404 cmd.exe 89 PID 3840 wrote to memory of 1488 3840 rMX.exe.exe 90 PID 3840 wrote to memory of 1488 3840 rMX.exe.exe 90 PID 3840 wrote to memory of 1488 3840 rMX.exe.exe 90 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4660 1488 rMX.exe 91 PID 1488 wrote to memory of 4064 1488 rMX.exe 92 PID 1488 wrote to memory of 4064 1488 rMX.exe 92 PID 1488 wrote to memory of 4064 1488 rMX.exe 92 PID 1488 wrote to memory of 4064 1488 rMX.exe 92 PID 1488 wrote to memory of 2196 1488 rMX.exe 93 PID 1488 wrote to memory of 2196 1488 rMX.exe 93 PID 1488 wrote to memory of 2196 1488 rMX.exe 93 PID 1488 wrote to memory of 2196 1488 rMX.exe 93 PID 3840 wrote to memory of 3512 3840 rMX.exe.exe 95 PID 3840 wrote to memory of 3512 3840 rMX.exe.exe 95 PID 3840 wrote to memory of 3512 3840 rMX.exe.exe 95 PID 4340 wrote to memory of 1188 4340 cmd.exe 97 PID 4340 wrote to memory of 1188 4340 cmd.exe 97 PID 4340 wrote to memory of 1188 4340 cmd.exe 97 PID 3512 wrote to memory of 1172 3512 cmd.exe 102 PID 3512 wrote to memory of 1172 3512 cmd.exe 102 PID 3512 wrote to memory of 1172 3512 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\cmd.execmd /c echo 0>>c:\windows\nk.txt3⤵
- Drops file in Windows directory
PID:356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\WINDOWS\VWFLH\rMX.exe.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\WINDOWS\VWFLH\rMX.exe.exeC:\WINDOWS\VWFLH\rMX.exe.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe6⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 807⤵
- Program crash
PID:1696
-
-
-
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe6⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 807⤵
- Program crash
PID:2300
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\64.vbs5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\64.vbs"6⤵PID:1172
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\13.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\13.vbs"3⤵
- Deletes itself
PID:1188
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2196 -ip 21961⤵PID:1928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4064 -ip 40641⤵PID:3500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236B
MD54fc553bf0fd7a436b104a162d998a5e1
SHA18e034bf7ef81ff8e38941b63e216adc0158617fd
SHA2568f341f682c7f5f5c237ef717781249ac8db6e59ccffae2de26e2f498af3e61fb
SHA512b8e597e70198b5a5ef20cb9d1d6e7d6fb2a80a6edcc0ff882ade30de29394aadaf9aaf9ef298b40b5dc988a791e5eb55e8e1628f9ab144f5bff6b673a69287ca
-
Filesize
162B
MD51b17358618f4d20e00ba6f2eeb9aab03
SHA1cca9115ee97eb54bd2a82ea156bbf8ab62a472c9
SHA256921afc09aa5117b83222e3c17495838aaddad9f2194ffc0b854a17e4743af420
SHA512a438b0a902232d2c57e7d2144e57117d77a912ff1b826b7c0668fb0225f342ea2696efc9901d1cc050e8580bc6aaaf36ae2bde5b08e931fb7e982543d66c9515
-
Filesize
95KB
MD5dae39904d892c7cfaaa95bfa50a7b976
SHA1296d813c666e50c1816b7a77546a6ac93b826ceb
SHA256b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b
SHA51283a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0
-
Filesize
95KB
MD5acda0d5dd519bb7600d6d35af3c8b189
SHA1d103ce109869c19dd037e4348eca6e7dfa3d0b0b
SHA256f400c75f1d91dadb03ef03d6e2dbe9e71042794aba8e9a8b278c02bb235a260d
SHA51202b336079436fae2db16780f4d79ade1da9b8b0617a02980f49d34ce200b56efd13525e5f9737ebc4b7c454d48d04b5999f77c68b9b857d8baae9ff056243f03