1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053

General

Target

1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
Size

1.4MB
MD5

5bffbc6fbfef7805bf1025fe3b252f32
SHA1

e94909d28e39a10eea3d6fcedcd6cd7bb609185a
SHA256

1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053
SHA512

aaba43ca16a5523f15aa6660d6d031eb1af72012994b82dce88152d53a21e360dd3bf87915cf27a17e3717d40b99025ab9d516de4d3f80100566eb5505e2b366
SSDEEP

24576:2oaQk9HHhLzdok75ns9nyzf5hojqxzRJJ0+12:2ojkJBLz6ktns98f5hbx1JJD2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\L8J8BA8omB6AT.sys	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uCcItjozpD.yhd	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	2	114.114.114.114	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
Destination IP	9	114.114.114.114	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
Destination IP	51	114.114.114.114	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1784-0-0x00000000012E0000-0x000000000141F000-memory.dmp	vmprotect
behavioral1/memory/1784-1-0x00000000012E0000-0x000000000141F000-memory.dmp	vmprotect
behavioral1/files/0x000b000000012117-13.dat	vmprotect
behavioral1/memory/1784-110-0x00000000012E0000-0x000000000141F000-memory.dmp	vmprotect
behavioral1/memory/1784-351-0x00000000012E0000-0x000000000141F000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CQ60H5TVqM17O.sys	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
File opened for modification	C:\Windows\SysWOW64\8aZEU0Al40nA.mpl	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\g1ncKunB2fzG.sys	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
File opened for modification	C:\Program Files\0b8Dj8WlSh.stu	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
File opened for modification	C:\Program Files (x86)\2cC69aFvvknC.sys	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
File opened for modification	C:\Program Files (x86)\1ngZjEWznyhu.ndg	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AmQzX4mhvAjBYj.aqi	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
File opened for modification	C:\Windows\bQckOgmedF8.sys	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2528	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

Suspicious behavior: LoadsDriver 14 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
Token: SeTcbPrivilege	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
Token: SeIncBasePriorityPrivilege	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2224	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe	31
PID 1784 wrote to memory of 2224	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe	31
PID 1784 wrote to memory of 2224	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe	31
PID 1784 wrote to memory of 2224	1784	1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe	31
PID 2224 wrote to memory of 2528	2224	cmd.exe	33
PID 2224 wrote to memory of 2528	2224	cmd.exe	33
PID 2224 wrote to memory of 2528	2224	cmd.exe	33
PID 2224 wrote to memory of 2528	2224	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe
"C:\Users\Admin\AppData\Local\Temp\1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe"
1⤵
- Drops file in Drivers directory
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\1c65f0109f37c52a2b05422b5de18bd6644157149eae035c75df3a3abb989053.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar544F.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Windows\bQckOgmedF8.sys

Filesize
100KB

MD5
b78512a09b506b7af9ea08d64ff16e08

SHA1
e6b79ac77ca72cacdcd1556e29af0fe949bfd89f

SHA256
91bd0ecb80d5ce3fafda7bda4a092f7beefff012f07c458a0056ca6363e7e3b1

SHA512
ea19f980269995f399a949ebd5e2dbde3dcd6b203e911dc1718e6223973540c44ffc82781ff3434448b5ae5f9367e115c98f5e904e46f5512cd8e0f44ab62d6d

Download Submit
memory/1784-0-0x00000000012E0000-0x000000000141F000-memory.dmp

Filesize
1.2MB

Download
memory/1784-1-0x00000000012E0000-0x000000000141F000-memory.dmp

Filesize
1.2MB

Download
memory/1784-110-0x00000000012E0000-0x000000000141F000-memory.dmp

Filesize
1.2MB

Download
memory/1784-351-0x00000000012E0000-0x000000000141F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing