63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8

Analysis

max time kernel
147s
max time network
83s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe
Size

2.2MB
MD5

be593691476b31e5bb478e3ee05cf87f
SHA1

a9f06824f8bfdb98be0d95992b0826042271170a
SHA256

63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8
SHA512

9f7128d1d9898b9f2c0f904e846b16f86c1fcfc852cf62f47a4adf9b0645ac6c1db3157c357211a1570801044d8043dc776d474f5278dc08f9f2252d81a02cc7
SSDEEP

49152:7Vg5tQ7axdiO2qT9zUBBl9N5HPpJ88T5UXehcb5:Rg56GyqFU59PPpJ8g5D

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

adgwijgweog.exe

pid process

1508 adgwijgweog.exe

pid	process
1508	adgwijgweog.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
behavioral1/memory/1508-59-0x00000000013C0000-0x0000000001706000-memory.dmp	vmprotect
behavioral1/memory/1508-61-0x00000000013C0000-0x0000000001706000-memory.dmp	vmprotect
behavioral1/memory/1508-63-0x00000000013C0000-0x0000000001706000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe

pid process

2036 63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

adgwijgweog.exe

pid process

1508 adgwijgweog.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

adgwijgweog.exe

description pid process

Token: SeLockMemoryPrivilege 1508 adgwijgweog.exe

pid	process
2036	63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe

pid	process
1508	adgwijgweog.exe

description	pid	process
Token: SeLockMemoryPrivilege	1508	adgwijgweog.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe

description	pid	process	target process
PID 2036 wrote to memory of 1508	2036	63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe	adgwijgweog.exe
PID 2036 wrote to memory of 1508	2036	63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe	adgwijgweog.exe
PID 2036 wrote to memory of 1508	2036	63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe	adgwijgweog.exe
PID 2036 wrote to memory of 1508	2036	63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe	adgwijgweog.exe

C:\Users\Admin\AppData\Local\Temp\63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe
"C:\Users\Admin\AppData\Local\Temp\63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://pool.minexmr.com:4444 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.4MB

MD5
8b11325f4b729b7072c050035b454759

SHA1
a5a5cf1910339490ec429b605a324b74a92edb38

SHA256
785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78

SHA512
f7951b33eac084e4921c304840da21680fa85b05bbd6e5068e9531f63a6d2f64d3ab9d1fb166703b51cc2bc9df977171a498ac91b3e472549a1c2de9d5bdf307

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.4MB

MD5
8b11325f4b729b7072c050035b454759

SHA1
a5a5cf1910339490ec429b605a324b74a92edb38

SHA256
785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78

SHA512
f7951b33eac084e4921c304840da21680fa85b05bbd6e5068e9531f63a6d2f64d3ab9d1fb166703b51cc2bc9df977171a498ac91b3e472549a1c2de9d5bdf307

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\pools.txt
Filesize
196B

MD5
dfecc946287051a05f43f684a0a273f1

SHA1
25d44d43e38621d1f423081801ad2a1a98e8c8bb

SHA256
f55a47d63c5d38a6b5c2d68cf31223d3e6f2549124552c20d6501cb03f890692

SHA512
94826732603828a424612f0edd011df01ddc89dc7aaebc185e775607b55064ee0f8d09c78748e6b590640e1e3413f28536739232adaa4d437e038f782498261d

Download Submit
\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.4MB

MD5
8b11325f4b729b7072c050035b454759

SHA1
a5a5cf1910339490ec429b605a324b74a92edb38

SHA256
785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78

SHA512
f7951b33eac084e4921c304840da21680fa85b05bbd6e5068e9531f63a6d2f64d3ab9d1fb166703b51cc2bc9df977171a498ac91b3e472549a1c2de9d5bdf307

Download Submit
memory/1508-56-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x00000000013C0000-0x0000000001706000-memory.dmp

Filesize
3.3MB

Download
memory/1508-61-0x00000000013C0000-0x0000000001706000-memory.dmp

Filesize
3.3MB

Download
memory/1508-63-0x00000000013C0000-0x0000000001706000-memory.dmp

Filesize
3.3MB

Download
memory/2036-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download