b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b

Analysis

max time kernel
148s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe
Size

5.1MB
MD5

bb3d3b2bddc91a0e37fa0eb640e5bbec
SHA1

641d3456dc9d0d329a3b28fdc3ba6fb247d1f42d
SHA256

b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
SHA512

1f80e87de10bd846c8f8c0eeb8503a6d595c7bad4285b0ed90c299a3a93c21ec2658af93d45a8baa43d4de23ca6129527223e34489e69eb5abfcdaa61d580f8b

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

joined.vmp.exeServer.sfx.exeServer.exeInject32.exe

pid process

1936 joined.vmp.exe
1272 Server.sfx.exe
1124 Server.exe
748 Inject32.exe

pid	process
1936	joined.vmp.exe
1272	Server.sfx.exe
1124	Server.exe
748	Inject32.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\joined.vmp.exe	vmprotect
\Users\Admin\AppData\Local\Temp\joined.vmp.exe	vmprotect
\Users\Admin\AppData\Local\Temp\joined.vmp.exe	vmprotect
\Users\Admin\AppData\Local\Temp\joined.vmp.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\joined.vmp.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\joined.vmp.exe	vmprotect

Drops startup file 2 IoCs

Processes:

Inject32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Inject32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Inject32.exe

Loads dropped DLL 9 IoCs

Processes:

b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exejoined.vmp.exeServer.sfx.exeServer.exe

pid	process
1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe
1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe
1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe
1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe
1936	joined.vmp.exe
1272	Server.sfx.exe
1272	Server.sfx.exe
1272	Server.sfx.exe
1124	Server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

joined.vmp.exe

pid process

1936 joined.vmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

joined.vmp.exe

pid process

1936 joined.vmp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Inject32.exe

pid process

748 Inject32.exe

pid	process
1936	joined.vmp.exe

pid	process
1936	joined.vmp.exe

pid	process
748	Inject32.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Inject32.exe

description	pid	process
Token: SeDebugPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe
Token: 33	748	Inject32.exe
Token: SeIncBasePriorityPrivilege	748	Inject32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exejoined.vmp.exeServer.sfx.exeServer.exe

description	pid	process	target process
PID 1684 wrote to memory of 1936	1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe	joined.vmp.exe
PID 1684 wrote to memory of 1936	1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe	joined.vmp.exe
PID 1684 wrote to memory of 1936	1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe	joined.vmp.exe
PID 1684 wrote to memory of 1936	1684	b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe	joined.vmp.exe
PID 1936 wrote to memory of 1272	1936	joined.vmp.exe	Server.sfx.exe
PID 1936 wrote to memory of 1272	1936	joined.vmp.exe	Server.sfx.exe
PID 1936 wrote to memory of 1272	1936	joined.vmp.exe	Server.sfx.exe
PID 1936 wrote to memory of 1272	1936	joined.vmp.exe	Server.sfx.exe
PID 1936 wrote to memory of 1748	1936	joined.vmp.exe	NOTEPAD.EXE
PID 1936 wrote to memory of 1748	1936	joined.vmp.exe	NOTEPAD.EXE
PID 1936 wrote to memory of 1748	1936	joined.vmp.exe	NOTEPAD.EXE
PID 1936 wrote to memory of 1748	1936	joined.vmp.exe	NOTEPAD.EXE
PID 1272 wrote to memory of 1124	1272	Server.sfx.exe	Server.exe
PID 1272 wrote to memory of 1124	1272	Server.sfx.exe	Server.exe
PID 1272 wrote to memory of 1124	1272	Server.sfx.exe	Server.exe
PID 1272 wrote to memory of 1124	1272	Server.sfx.exe	Server.exe
PID 1124 wrote to memory of 748	1124	Server.exe	Inject32.exe
PID 1124 wrote to memory of 748	1124	Server.exe	Inject32.exe
PID 1124 wrote to memory of 748	1124	Server.exe	Inject32.exe
PID 1124 wrote to memory of 748	1124	Server.exe	Inject32.exe

C:\Users\Admin\AppData\Local\Temp\b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe
"C:\Users\Admin\AppData\Local\Temp\b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\joined.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\joined.vmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\Inject32.exe
"C:\Users\Admin\AppData\Local\Temp\Inject32.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt
3⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined.vmp.exe
MD5
25c689e345e4f8112008edeeb50e5b54

SHA1
bd714c54c874280963f49d9c9b0965afb676368b

SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined.vmp.exe
MD5
25c689e345e4f8112008edeeb50e5b54

SHA1
bd714c54c874280963f49d9c9b0965afb676368b

SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Download Submit
\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
\Users\Admin\AppData\Local\Temp\joined.vmp.exe
MD5
25c689e345e4f8112008edeeb50e5b54

SHA1
bd714c54c874280963f49d9c9b0965afb676368b

SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Download Submit
\Users\Admin\AppData\Local\Temp\joined.vmp.exe
MD5
25c689e345e4f8112008edeeb50e5b54

SHA1
bd714c54c874280963f49d9c9b0965afb676368b

SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Download Submit
\Users\Admin\AppData\Local\Temp\joined.vmp.exe
MD5
25c689e345e4f8112008edeeb50e5b54

SHA1
bd714c54c874280963f49d9c9b0965afb676368b

SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Download Submit
\Users\Admin\AppData\Local\Temp\joined.vmp.exe
MD5
25c689e345e4f8112008edeeb50e5b54

SHA1
bd714c54c874280963f49d9c9b0965afb676368b

SHA256
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

SHA512
acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Download Submit
memory/748-36-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/748-32-0x0000000000000000-mapping.dmp

Download
memory/1124-25-0x0000000000000000-mapping.dmp

Download
memory/1124-30-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1272-16-0x0000000000000000-mapping.dmp

Download
memory/1684-3-0x0000000000F60000-0x0000000001061000-memory.dmp

Filesize
1.0MB

Download
memory/1684-2-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1748-20-0x0000000000000000-mapping.dmp

Download
memory/1936-9-0x0000000000000000-mapping.dmp

Download
memory/1936-12-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1936-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download