2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
Size

198KB
MD5

52a7ae80da298b45ddc79d93142b6710
SHA1

39860118701bf0bcef8cb04e9707f9beb6cfd1c4
SHA256

2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012
SHA512

5cc8ae1d65710a6b70dcee6916e437ca44d77236fa2bb8d41fb19ee92e6318448c56bcf304cf6d2803ae8f5a0345791556336dcf097a44b2e6b0bfefa4c43038
SSDEEP

6144:znycVxqMDbbFDhCW4C92lHf8mhBKIwlplA:DpVxqSbbFDhT2RkmHGTl

Score

10^/10

evasion trojan vmprotect

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1380-55-0x0000000000400000-0x0000000000428000-memory.dmp	vmprotect
behavioral1/memory/1380-56-0x0000000000400000-0x0000000000428000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

Processes:

2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

description ioc process

File created C:\Windows\SysWOW64\test.dat 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

pid process

1380 2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

description	ioc	process
File created	C:\Windows\SysWOW64\test.dat	2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

pid	process
1380	2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe

C:\Users\Admin\AppData\Local\Temp\2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe
"C:\Users\Admin\AppData\Local\Temp\2f8e471cd92be1ceb8a2689c006d802f5e76135ce035196c555bbaa00d361012.exe"
1⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System policy modification
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1380-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download