Overview

overview

8

Static

static

8

9f84be3a53...1d.exe

windows10-2004-x64

8

Resubmissions

16-11-2022 11:58

221116-n5aq7aad43 8

09-10-2020 13:09

201009-kl8as1qf7e 8

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2022 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f84be3a53d5f2a03a9ec2e60093c70293e15fd91addeb3936fd1f8c3b013b1d.exe

  • Size

    6.0MB

  • MD5

    127e7dce984cc0acea750746b485c101

  • SHA1

    2e920f4583c38f811fdad739ebaf5064badec42d

  • SHA256

    9f84be3a53d5f2a03a9ec2e60093c70293e15fd91addeb3936fd1f8c3b013b1d

  • SHA512

    408196e79f98a68961c478d0125f5c7b76b9979c26c23a767fc605bd2fc5cdad64a72d3a3c06e2c934f3c86b70e662b3bd27a4b818dc75f4daea923c586d4eb6

  • SSDEEP

    98304:eMGA/GKxx3TknUXUGG5ghUA2dqGJSkIX0BLNYDodDygooqgcZmOf9XhzuALXwHK:eMGA/FxVTp7MzA28GJRVlNGabiZv1Xhk

Score
8/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f84be3a53d5f2a03a9ec2e60093c70293e15fd91addeb3936fd1f8c3b013b1d.exe
    "C:\Users\Admin\AppData\Local\Temp\9f84be3a53d5f2a03a9ec2e60093c70293e15fd91addeb3936fd1f8c3b013b1d.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3080
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3080-132-0x0000000000400000-0x0000000000E0A000-memory.dmp
    Filesize

    10.0MB

    Download
  • memory/3080-134-0x0000000000400000-0x0000000000E0A000-memory.dmp
    Filesize

    10.0MB

    Download
  • memory/3080-135-0x0000000002E40000-0x0000000002F34000-memory.dmp
    Filesize

    976KB

    Download
  • memory/3080-136-0x0000000000400000-0x0000000000E0A000-memory.dmp
    Filesize

    10.0MB

    Download