Analysis
-
max time kernel
174s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-11-2022 09:30
General
-
Target
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
-
Size
4.1MB
-
MD5
dbbb4cfc6d9cd1356d53c122cb97fd97
-
SHA1
5ce4ef9531612019dbf309436c8c55d290323fe6
-
SHA256
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995
-
SHA512
8b147e79651f517d66be6e31b09bca95571ee69da5ba1f6639a08a66419ba5d50ab02051fadb7858b39cb68acd4d28029ef7c3ec48ce05da52718f1efbbf7580
-
SSDEEP
98304:wdBaZn29qwS9m51SXt1T8GTH8gS4TyF0ES5:kgY9AwKtV8GTcgHGF0
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 1 IoCs
-
VMProtect packed file 7 IoCs
Detects executables packed with VMProtect commercial packer.
-
Drops file in System32 directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe"C:\Users\Admin\AppData\Local\Temp\7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exe"C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exeFilesize
2.8MB
MD583bfee62a205080de8355e4601dc463f
SHA170e60ba0644266ef8937181120d8a16428081bb2
SHA25675d5cb1a618b997d3fc5e2030df44b596847d2cee1cb4fe055400197feff64d3
SHA512555ca560983ef29b27fa5c240f0da1ae9d04969297ea1833c753ec1c0e65875e6ff67c4dfca193d962e3c80148a5c2d837d0b78d611b0e3f59950ac0a9f9f3e8
-
C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exeFilesize
2.8MB
MD583bfee62a205080de8355e4601dc463f
SHA170e60ba0644266ef8937181120d8a16428081bb2
SHA25675d5cb1a618b997d3fc5e2030df44b596847d2cee1cb4fe055400197feff64d3
SHA512555ca560983ef29b27fa5c240f0da1ae9d04969297ea1833c753ec1c0e65875e6ff67c4dfca193d962e3c80148a5c2d837d0b78d611b0e3f59950ac0a9f9f3e8
-
C:\Windows\Sy.iniFilesize
169B
MD59b96634bcea19a9a554e8fd35510f92d
SHA1d6f3d6cda170f439ba7b6b2f798d50ac9373d07f
SHA256710c32e33dfcb77e8e39701ddefa1619a4c892b92b7a0ff1c2b88bb115ea98b9
SHA512ba655b4673b34b7b79ed112a2f21263a351195f2b55e7c857df88f1f550b90ea73ff1b000e133bf2b65447e54a3d051efa92b53177f10e1f72746e7b85b1c076
-
memory/1420-132-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/1420-133-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/1420-138-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/3400-134-0x0000000000000000-mapping.dmp
-
memory/3400-137-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB
-
memory/3400-139-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB