623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1

General

Target

623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
Size

488KB
MD5

0e686e2328569bc1f96c1c2fbf376d03
SHA1

401621e0d9252bf30d728e9a4d46f3f027fd9917
SHA256

623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1
SHA512

c1b01698ee3bd71a20dce51b7f140f3b68fc8688bebc1c57260c963a550321b25368f7a3d7bc65bb1d34a9e7dfaee727e7357da654756c8642c98708f3d94cb9
SSDEEP

12288:B9seFIphMlkX3N+Zm4ksbAyuNxVRzD6Bm:BieFImkX9EzVIjXaBm

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\3tFNLiKq9s88w2.sys	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\45muaycq3otCRP.usv	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	4	114.114.114.114	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
Destination IP	31	114.114.114.114	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
Destination IP	123	114.114.114.114	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/892-0-0x0000000000510000-0x0000000000641000-memory.dmp	vmprotect
behavioral2/memory/892-1-0x0000000000510000-0x0000000000641000-memory.dmp	vmprotect
behavioral2/files/0x000b000000024061-13.dat	vmprotect
behavioral2/memory/892-39-0x0000000000510000-0x0000000000641000-memory.dmp	vmprotect
behavioral2/memory/892-40-0x0000000000510000-0x0000000000641000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sggf6ptFM3KyYo.sys	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
File opened for modification	C:\Windows\SysWOW64\7vOAGMntGL.vjb	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\lN9zHIXdNTAYq.sys	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
File opened for modification	C:\Program Files\B8iJ9fQhfz.tws	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
File opened for modification	C:\Program Files (x86)\Ps00ouAuA2.sys	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
File opened for modification	C:\Program Files (x86)\zzs4JshhBP.nqu	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MK0rPFmEjW.sys	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
File opened for modification	C:\Windows\arORneDjvY.vtn	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2676	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Suspicious behavior: LoadsDriver 14 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
Token: SeTcbPrivilege	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
Token: SeIncBasePriorityPrivilege	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 4244	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe	107
PID 892 wrote to memory of 4244	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe	107
PID 892 wrote to memory of 4244	892	623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe	107
PID 4244 wrote to memory of 2676	4244	cmd.exe	109
PID 4244 wrote to memory of 2676	4244	cmd.exe	109
PID 4244 wrote to memory of 2676	4244	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe
"C:\Users\Admin\AppData\Local\Temp\623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\623f370ffcd699ec452d68d164a04a91541b9423ba67d2da358b6294e7796be1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MK0rPFmEjW.sys

Filesize
100KB

MD5
b78512a09b506b7af9ea08d64ff16e08

SHA1
e6b79ac77ca72cacdcd1556e29af0fe949bfd89f

SHA256
91bd0ecb80d5ce3fafda7bda4a092f7beefff012f07c458a0056ca6363e7e3b1

SHA512
ea19f980269995f399a949ebd5e2dbde3dcd6b203e911dc1718e6223973540c44ffc82781ff3434448b5ae5f9367e115c98f5e904e46f5512cd8e0f44ab62d6d

Download Submit
memory/892-0-0x0000000000510000-0x0000000000641000-memory.dmp

Filesize
1.2MB

Download
memory/892-1-0x0000000000510000-0x0000000000641000-memory.dmp

Filesize
1.2MB

Download
memory/892-39-0x0000000000510000-0x0000000000641000-memory.dmp

Filesize
1.2MB

Download
memory/892-40-0x0000000000510000-0x0000000000641000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing