Overview

overview

8

Static

static

8

29b513fdbb...0e.exe

windows7-x64

8

29b513fdbb...0e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e.exe

  • Size

    120KB

  • MD5

    addab1c297f678b00958d6564b785dca

  • SHA1

    b5abef2ce28ef39a8400d77dfc875cf02f1f798a

  • SHA256

    29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e

  • SHA512

    f031e53fa165a6f1324169ae26f34d52d5207aaf9f2887547c6fff0e869babb5ec8581daa115582ec98b9690eced3f2cafc0ec057226127adcc925287de2385f

  • SSDEEP

    3072:6JwejfQQpiipQpU1EgKOCHYk05GPqAzVQuLQ/eO:6vxV1COCHvQ8qABQ2GB

Score
8/10
vmprotect

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e.exe
    "C:\Users\Admin\AppData\Local\Temp\29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2028
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\6975.vbs"
      2⤵
        PID:1496
    • C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exe
      "C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exe
      Filesize

      100.1MB

      MD5

      54703ea5a3c9d059614034fba856634c

      SHA1

      802e56e6fd5302bf661d1ef35648c0053be1617f

      SHA256

      650a741d2dce8360d13d81663d0de757a85baeed6034838fc88a201fc1a4d5e6

      SHA512

      0a132cb24211f141fede8c2b43fee7c5884fa598239c18acb3ba474081b2033e2f22852af7c293445942c86463c92ff1c6a3d0d5fdf41f1df953ed7d2aced6d9

      Download Submit
    • C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exe
      Filesize

      100.1MB

      MD5

      54703ea5a3c9d059614034fba856634c

      SHA1

      802e56e6fd5302bf661d1ef35648c0053be1617f

      SHA256

      650a741d2dce8360d13d81663d0de757a85baeed6034838fc88a201fc1a4d5e6

      SHA512

      0a132cb24211f141fede8c2b43fee7c5884fa598239c18acb3ba474081b2033e2f22852af7c293445942c86463c92ff1c6a3d0d5fdf41f1df953ed7d2aced6d9

      Download Submit
    • memory/560-61-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/560-63-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/560-64-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/2028-54-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/2028-56-0x0000000075531000-0x0000000075533000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-57-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/2028-58-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download