Overview

overview

8

Static

static

8

54eeafda56...d2.exe

windows7-x64

8

54eeafda56...d2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe

  • Size

    1000KB

  • MD5

    5243304fabf5c86ad841ae481c2facc0

  • SHA1

    19c2acb84a34e075f9979f24c665c70f31a7e071

  • SHA256

    54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2

  • SHA512

    fa28ce838a7e0995452b35b6e17ebc1128aa17020268f445afa6251186545b00633f25815e932f1c12aabfb7f3124e918d1c8d20b6cfcf73fbb9c662349e0623

  • SSDEEP

    24576:8ALZLnX+C/UPvnCEiEPAVoM5Xly3zGfvrtdP:jLtuCmvw8Gj5V/ztd

Score
8/10
vmprotect

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe
    "C:\Users\Admin\AppData\Local\Temp\54eeafda566fe9e02229ae251a1c71da931ab46e9e2fa5678be1cf208d8a51d2.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsas.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:968
    • C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      PID:980
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im lsas.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x570
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/968-57-0x0000000000000000-mapping.dmp
    Download
  • memory/980-61-0x0000000000000000-mapping.dmp
    Download
  • memory/980-64-0x0000000072701000-0x0000000072703000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1324-54-0x0000000000400000-0x0000000000610000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1324-58-0x0000000076191000-0x0000000076193000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1324-59-0x0000000000400000-0x0000000000610000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1324-60-0x0000000002050000-0x0000000002060000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1324-66-0x0000000000400000-0x0000000000610000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1324-67-0x0000000002050000-0x0000000002060000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1324-70-0x0000000007830000-0x0000000007844000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1692-65-0x0000000000000000-mapping.dmp
    Download