abfe75012e58d50f3721c9ac42b614fd96ae26ea40b120a1dc90a1c46b0b8dad

General

Target

1b6cf3ed88453123a5b3c1fda495a0fc.exe
Size

140KB
MD5

1b6cf3ed88453123a5b3c1fda495a0fc
SHA1

b0fab49496d7566de454d3251966afb2e990ef5f
SHA256

abfe75012e58d50f3721c9ac42b614fd96ae26ea40b120a1dc90a1c46b0b8dad
SHA512

0f1bdcae3fadccc58612451e1bfbdf1dc8563f561d3ecd7a89a11eda773fb3372b10526b6909261d34471a329d0fd48c3d50701b95c8b0fe6ce4862d5cececcf

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vitrwm.exe

pid process

524 vitrwm.exe

pid	process
524	vitrwm.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1520-54-0x0000000000400000-0x0000000000450000-memory.dmp	vmprotect
C:\Windows\SysWOW64\vitrwm.exe	vmprotect
C:\Windows\SysWOW64\vitrwm.exe	vmprotect

Drops startup file 1 IoCs

Processes:

1b6cf3ed88453123a5b3c1fda495a0fc.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kyg	1b6cf3ed88453123a5b3c1fda495a0fc.exe

Drops file in System32 directory 2 IoCs

Processes:

1b6cf3ed88453123a5b3c1fda495a0fc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vitrwm.exe	1b6cf3ed88453123a5b3c1fda495a0fc.exe
File opened for modification	C:\Windows\SysWOW64\vitrwm.exe	1b6cf3ed88453123a5b3c1fda495a0fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1b6cf3ed88453123a5b3c1fda495a0fc.exe

pid process

1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1b6cf3ed88453123a5b3c1fda495a0fc.exe

description pid process

Token: SeIncBasePriorityPrivilege 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe

pid	process
1520	1b6cf3ed88453123a5b3c1fda495a0fc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1520	1b6cf3ed88453123a5b3c1fda495a0fc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1b6cf3ed88453123a5b3c1fda495a0fc.exe

description	pid	process	target process
PID 1520 wrote to memory of 868	1520	1b6cf3ed88453123a5b3c1fda495a0fc.exe	cmd.exe
PID 1520 wrote to memory of 868	1520	1b6cf3ed88453123a5b3c1fda495a0fc.exe	cmd.exe
PID 1520 wrote to memory of 868	1520	1b6cf3ed88453123a5b3c1fda495a0fc.exe	cmd.exe
PID 1520 wrote to memory of 868	1520	1b6cf3ed88453123a5b3c1fda495a0fc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b6cf3ed88453123a5b3c1fda495a0fc.exe
"C:\Users\Admin\AppData\Local\Temp\1b6cf3ed88453123a5b3c1fda495a0fc.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1B6CF3~1.EXE > nul
2⤵
PID:868

C:\Windows\SysWOW64\vitrwm.exe
C:\Windows\SysWOW64\vitrwm.exe
1⤵
- Executes dropped EXE
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vitrwm.exe
MD5
593583cd26e86d59f79cdb58fc8c81d5

SHA1
174541f60b0ed4c1026a2deede503e8de1e2f86a

SHA256
4cfe29d3de0e869bba46d4f95203e228ac0ce00f58617d610fbc8012af090d42

SHA512
0a431a876b4636d3957ab7133d72f83b522ce8562f6973d34e4e166486d0bc4b61dbdea783eccf7cb181dfdc4b1db3bb17d127f07f729165215d78e6116abf1d

Download Submit
C:\Windows\SysWOW64\vitrwm.exe
MD5
593583cd26e86d59f79cdb58fc8c81d5

SHA1
174541f60b0ed4c1026a2deede503e8de1e2f86a

SHA256
4cfe29d3de0e869bba46d4f95203e228ac0ce00f58617d610fbc8012af090d42

SHA512
0a431a876b4636d3957ab7133d72f83b522ce8562f6973d34e4e166486d0bc4b61dbdea783eccf7cb181dfdc4b1db3bb17d127f07f729165215d78e6116abf1d

Download Submit
memory/868-59-0x0000000000000000-mapping.dmp

Download
memory/1520-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1520-57-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads