9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
Size

578KB
MD5

b52088e450ef03ff18b089f2638e54a0
SHA1

98c65f8876cd9c0065cf8ca2d0305d16d265e4ea
SHA256

9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610
SHA512

43312e853b0c6c721ec0bb7aa5ec4a6c3dbf1506a4e413209e4828bf30e23f3ba618dd27d94bcff52cc2aa33f933004e5b4ce6bd174961f6c95cfa5225aff53f
SSDEEP

6144:XV55pRPQdrFhbEhtVacLaN//2gWF6lxcBbmKm:XDDGdDbEh/a3tKj

Score

8^/10

discovery evasion upx

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	vxdserv.exe

Executes dropped EXE 1 IoCs

pid	Process
628	vxdserv.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vxdserv.exe	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
File opened for modification	C:\Windows\SysWOW64\vxdserv.exe	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
File created	C:\Windows\SysWOW64\vxdserv.exe	vxdserv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2996-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/files/0x0008000000023431-6.dat	upx
behavioral2/memory/2996-8-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/628-9-0x0000000000400000-0x0000000000448000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vxdserv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
628	vxdserv.exe
628	vxdserv.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
628	vxdserv.exe
628	vxdserv.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
628	vxdserv.exe
628	vxdserv.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe
628	vxdserv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 628	2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe	82
PID 2996 wrote to memory of 628	2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe	82
PID 2996 wrote to memory of 628	2996	9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe	82

C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
"C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe"
1⤵
- Looks for VMWare Tools registry key
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\vxdserv.exe
  C:\Windows\system32\vxdserv.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vxdserv.exe

Filesize
584KB

MD5
1b122ad1d6ec5945bdaa8eb0e150db23

SHA1
286626f846173a94357bf7362e920db2154c6c99

SHA256
54f5274317090538d447fb2c6fc82a8183d3851d8d8bf8404b42a5da349215f5

SHA512
ed9a631841dda5221ef0a8005219b6d58e0bd2a3e41cb7cb37bf3a0cdcb83939ce9fb0a3af1dd8e7c16cf06187786c2f1f123ff9d7e201d16e39cce8d05727e0

Download Submit
memory/628-9-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2996-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2996-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download