Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 18:32

General

  • Target

    9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe

  • Size

    578KB

  • MD5

    b52088e450ef03ff18b089f2638e54a0

  • SHA1

    98c65f8876cd9c0065cf8ca2d0305d16d265e4ea

  • SHA256

    9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610

  • SHA512

    43312e853b0c6c721ec0bb7aa5ec4a6c3dbf1506a4e413209e4828bf30e23f3ba618dd27d94bcff52cc2aa33f933004e5b4ce6bd174961f6c95cfa5225aff53f

  • SSDEEP

    6144:XV55pRPQdrFhbEhtVacLaN//2gWF6lxcBbmKm:XDDGdDbEh/a3tKj

Score
8/10

Malware Config

Signatures

  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe
    "C:\Users\Admin\AppData\Local\Temp\9f9699c5083b402eae59e13b9bb872db8b951c152950726db87fca6ed334d610N.exe"
    1⤵
    • Looks for VMWare Tools registry key
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\vxdserv.exe
      C:\Windows\system32\vxdserv.exe
      2⤵
      • Looks for VMWare Tools registry key
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\vxdserv.exe

    Filesize

    584KB

    MD5

    1b122ad1d6ec5945bdaa8eb0e150db23

    SHA1

    286626f846173a94357bf7362e920db2154c6c99

    SHA256

    54f5274317090538d447fb2c6fc82a8183d3851d8d8bf8404b42a5da349215f5

    SHA512

    ed9a631841dda5221ef0a8005219b6d58e0bd2a3e41cb7cb37bf3a0cdcb83939ce9fb0a3af1dd8e7c16cf06187786c2f1f123ff9d7e201d16e39cce8d05727e0

  • memory/628-9-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2996-0-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2996-8-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB