2a0bd6197d381f1e0d5fb74425b6d1c60d9f9b107eef5c91b3a8f7b91114d732

Analysis

max time kernel
119s
max time network
135s
platform
windows10_x64
resource
win10-en-20211104
submitted
25-11-2021 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

166fd7b7965859e1a19623771f8fee09.exe
Size

6.8MB
MD5

166fd7b7965859e1a19623771f8fee09
SHA1

f9f9846d360e4439b67090cabb6e729eb089bf81
SHA256

2a0bd6197d381f1e0d5fb74425b6d1c60d9f9b107eef5c91b3a8f7b91114d732
SHA512

e1500d76794971e6e900834d6d47a90ce37f0abf2b341401d7e4aefcf567e87579001ea6bfff1076a5f0ce98f1a63e030c5ccdbabe4acc45fbe4ba29ac3a0fe1

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

kmgaw.exe

pid process

4248 kmgaw.exe

pid	process
4248	kmgaw.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/992-118-0x00007FF671220000-0x00007FF671FCA000-memory.dmp	vmprotect
C:\Windows\kmgaw.exe	vmprotect
C:\Windows\kmgaw.exe	vmprotect
behavioral2/memory/4248-127-0x00007FF7AC960000-0x00007FF7AD70D000-memory.dmp	vmprotect
C:\Windows\winsdk.exe	vmprotect

Drops file in System32 directory 8 IoCs

Processes:

kmgaw.exe166fd7b7965859e1a19623771f8fee09.exe

description	ioc	process
File opened for modification	C:\Windows\System32\ucrtbased.dll	kmgaw.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	kmgaw.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	kmgaw.exe
File created	C:\Windows\System32\msvcp140d.dll	166fd7b7965859e1a19623771f8fee09.exe
File created	C:\Windows\System32\ucrtbased.dll	166fd7b7965859e1a19623771f8fee09.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	166fd7b7965859e1a19623771f8fee09.exe
File created	C:\Windows\System32\vcruntime140d.dll	166fd7b7965859e1a19623771f8fee09.exe
File opened for modification	C:\Windows\System32\msvcp140d.dll	kmgaw.exe

Drops file in Windows directory 3 IoCs

Processes:

166fd7b7965859e1a19623771f8fee09.exekmgaw.exe

description	ioc	process
File created	C:\Windows\winsdk.exe	166fd7b7965859e1a19623771f8fee09.exe
File created	C:\Windows\kmgaw.exe	166fd7b7965859e1a19623771f8fee09.exe
File opened for modification	C:\Windows\winsdk.exe	kmgaw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

166fd7b7965859e1a19623771f8fee09.exekmgaw.exe

pid process

992 166fd7b7965859e1a19623771f8fee09.exe
992 166fd7b7965859e1a19623771f8fee09.exe
4248 kmgaw.exe
4248 kmgaw.exe

pid	process
992	166fd7b7965859e1a19623771f8fee09.exe
992	166fd7b7965859e1a19623771f8fee09.exe
4248	kmgaw.exe
4248	kmgaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

166fd7b7965859e1a19623771f8fee09.exe

description	pid	process	target process
PID 992 wrote to memory of 4204	992	166fd7b7965859e1a19623771f8fee09.exe	cmd.exe
PID 992 wrote to memory of 4204	992	166fd7b7965859e1a19623771f8fee09.exe	cmd.exe
PID 992 wrote to memory of 4248	992	166fd7b7965859e1a19623771f8fee09.exe	kmgaw.exe
PID 992 wrote to memory of 4248	992	166fd7b7965859e1a19623771f8fee09.exe	kmgaw.exe

C:\Users\Admin\AppData\Local\Temp\166fd7b7965859e1a19623771f8fee09.exe
"C:\Users\Admin\AppData\Local\Temp\166fd7b7965859e1a19623771f8fee09.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4204

C:\Windows\kmgaw.exe
C:\\Windows\\kmgaw.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BTTGMXQ\ucrtbased[1].dll
MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0JDXA5XR\filecoder[1].htm
MD5
10b9e801cb7b30401cc3c85f7ddbb9c5

SHA1
ba3eac18811cf6be7771c86a59bbab66558f6d49

SHA256
3c0ab4292cda5730bef1a8cfab5f3284c62a9d1a883338b67bd4a65327d60a23

SHA512
d44cfc70fae206b3ae9095404313efc2464931d86e87b1bb9e3523d2d5684c31798dd0da08b56400a2b522bfad19186744042ed12d64145336046e4beb149309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0JDXA5XR\vcruntime140d[1].dll
MD5
01eee7747651c32df22680c4f7ca9857

SHA1
20e509d36bce300aae0496a683fb7324a0d6302b

SHA256
2fbd0ef78ccc3e77b6275bb8fc679acff23bbb1ed19bc8821276fdc84dc74c4c

SHA512
8d89f7cf555cef73f9d3c2d559634491d7046d8f98cf4484d86579ba359d5631338d247bf79fb8f6e436cba13545264aa682fbfafc0783dde3d7e1406d83eb87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\rustversion[1].htm
MD5
4fb437564892944d73f87c822342e2bb

SHA1
e2607f6b788649e033ce30e1a047bf49c1f5fe91

SHA256
9c7f38a9ac4f5de592be486948ac944aff688f914e3b74e6917c7fe4715a561e

SHA512
d25242168ab59b74af156f7f6e10059ef1aad93bae2f9be54f8cae8320de04af20333050d5d259861d74bd69b2d694cd935890a253aa1f3343fbeafa3c496564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\vcruntime140_1d[1].dll
MD5
34dd0b914a497cb7449ce24825ced03c

SHA1
c22f8e7d16c2110f18886a2ac86fff12cebd3bf2

SHA256
69b33c529c39f69d6a82958a7c49b8fc1fd5421e35ef2ac5ecc83a394220021f

SHA512
b0651f43dfd2bd5b68daf387421a31e2667ad10f904696ec433cfba7ccde191dee0271ad00effbff348b5e4e900857009ac5762ed272fb9a6bf174ba6fc3ccd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LOEA0KPG\msvcp140d[1].dll
MD5
c4e2cff696a676129944a37fded935aa

SHA1
42e2e911c26bb302d07dcdfdfa084bfcffdcb66d

SHA256
2d9b2fb5e53666a2225c9c5dd7226754c4cde4f621f1da6e5dc34df718225c15

SHA512
359ceda3b1d769cbbe1ba03dddf7d2ab211dc2f1dfb3cde6e46da23e509b7473e922424fe212ae50865622f191b45de69fad43c086d6a964a53403ceb0529626

Download Submit
C:\Windows\System32\msvcp140d.dll
MD5
c4e2cff696a676129944a37fded935aa

SHA1
42e2e911c26bb302d07dcdfdfa084bfcffdcb66d

SHA256
2d9b2fb5e53666a2225c9c5dd7226754c4cde4f621f1da6e5dc34df718225c15

SHA512
359ceda3b1d769cbbe1ba03dddf7d2ab211dc2f1dfb3cde6e46da23e509b7473e922424fe212ae50865622f191b45de69fad43c086d6a964a53403ceb0529626

Download Submit
C:\Windows\System32\ucrtbased.dll
MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll
MD5
34dd0b914a497cb7449ce24825ced03c

SHA1
c22f8e7d16c2110f18886a2ac86fff12cebd3bf2

SHA256
69b33c529c39f69d6a82958a7c49b8fc1fd5421e35ef2ac5ecc83a394220021f

SHA512
b0651f43dfd2bd5b68daf387421a31e2667ad10f904696ec433cfba7ccde191dee0271ad00effbff348b5e4e900857009ac5762ed272fb9a6bf174ba6fc3ccd7

Download Submit
C:\Windows\System32\vcruntime140d.dll
MD5
01eee7747651c32df22680c4f7ca9857

SHA1
20e509d36bce300aae0496a683fb7324a0d6302b

SHA256
2fbd0ef78ccc3e77b6275bb8fc679acff23bbb1ed19bc8821276fdc84dc74c4c

SHA512
8d89f7cf555cef73f9d3c2d559634491d7046d8f98cf4484d86579ba359d5631338d247bf79fb8f6e436cba13545264aa682fbfafc0783dde3d7e1406d83eb87

Download Submit
C:\Windows\kmgaw.exe
MD5
6f1df5d4075dc8499a505a20afe7a8b4

SHA1
e3086fbed24b25a396f757144a6efb2fa1082574

SHA256
fb2604c4774fabb3c38cdaa40c46cde673cb98ac2bd58c46fc9a447849aaffb7

SHA512
10b9ffdfae90693d6a00055775e89f3a5928df5243c2d1be6cb9c45ca1b24308c03ec69e0c1cdfe1dbd77705b74c03827f00dc41923aecd11e1adf709d62df6b

Download Submit
C:\Windows\kmgaw.exe
MD5
6f1df5d4075dc8499a505a20afe7a8b4

SHA1
e3086fbed24b25a396f757144a6efb2fa1082574

SHA256
fb2604c4774fabb3c38cdaa40c46cde673cb98ac2bd58c46fc9a447849aaffb7

SHA512
10b9ffdfae90693d6a00055775e89f3a5928df5243c2d1be6cb9c45ca1b24308c03ec69e0c1cdfe1dbd77705b74c03827f00dc41923aecd11e1adf709d62df6b

Download Submit
C:\Windows\winsdk.exe
MD5
44f5ed4a35c4f381061b75ffbd982d51

SHA1
c60ee5b6b8214554540e90e1ab5ba58956da0857

SHA256
c50b1dd5764675b3a33e11397d6d9fab5269227174505c0683dc0748875ef3d6

SHA512
78594e1963b78ea529d56f899315272631487319ed575e68228407df4eb0f7e771d1ceb6a11e39236d580147b9a07700020032dfb6786e31ac5bfdd25c2ccd65

Download Submit
memory/992-118-0x00007FF671220000-0x00007FF671FCA000-memory.dmp

Filesize
13.7MB

Download
memory/992-120-0x00007FF9F62F0000-0x00007FF9F62F2000-memory.dmp

Filesize
8KB

Download
memory/4204-123-0x0000000000000000-mapping.dmp

Download
memory/4248-130-0x00007FF9F62F0000-0x00007FF9F62F2000-memory.dmp

Filesize
8KB

Download
memory/4248-127-0x00007FF7AC960000-0x00007FF7AD70D000-memory.dmp

Filesize
13.7MB

Download
memory/4248-124-0x0000000000000000-mapping.dmp

Download