Overview

overview

8

Static

static

5

540aab246a...c4.exe

windows7-x64

8

540aab246a...c4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe

  • Size

    2.4MB

  • MD5

    ca30450486a3074881dd3847ae39048c

  • SHA1

    db7e12aa440b58371b4103f0ef3d6c1ffa136732

  • SHA256

    540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4

  • SHA512

    1f9a28f2e7215702d0a5cb64080a48c1067158afcef8cbb29cfd3c8ebe51df9c30ea402ffb6fb7bcd4013277f02364804143931e3af7b737af207e935f3cc552

  • SSDEEP

    49152:OZzO43KtaISugRed1bVkaTMG1DFf3opuH6LIQntMre/DB2M:jtaDyhf3oHLI2tMi/DB2

Score
8/10
vmprotect

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • VMProtect packed file 14 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe
    "C:\Users\Admin\AppData\Local\Temp\540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
      C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
        C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
          C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          PID:1368
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4584 -s 660
        3⤵
        • Program crash
        PID:4568
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 408 -p 4584 -ip 4584
    1⤵
      PID:2260

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
      Filesize

      1.5MB

      MD5

      37e2490d6c9391fe81043eeb7cfa637a

      SHA1

      6cdbd359838b7213f2958717b914b1ac4157408c

      SHA256

      18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

      SHA512

      fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
      Filesize

      1.5MB

      MD5

      37e2490d6c9391fe81043eeb7cfa637a

      SHA1

      6cdbd359838b7213f2958717b914b1ac4157408c

      SHA256

      18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

      SHA512

      fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
      Filesize

      1.5MB

      MD5

      37e2490d6c9391fe81043eeb7cfa637a

      SHA1

      6cdbd359838b7213f2958717b914b1ac4157408c

      SHA256

      18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

      SHA512

      fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
      Filesize

      1.5MB

      MD5

      37e2490d6c9391fe81043eeb7cfa637a

      SHA1

      6cdbd359838b7213f2958717b914b1ac4157408c

      SHA256

      18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

      SHA512

      fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dvigowucpu\pools.txt
      Filesize

      154B

      MD5

      4a467c266bf7474bace3615884e8793b

      SHA1

      efc82124fbfd11d9f7b3a3b0ff1e027465bcd0dc

      SHA256

      2074cbb2a779b15b0e28dd98cc59dfbfeeb1d5829ef15ccd80a1e36cc5651a2a

      SHA512

      96a359188cf16d4a850c08393d08189af8d175983ddeca54a1eb1ed45b39798eefff421e132a7f081fa47d812a62dd8c1b2fa872d7bf9fc2fa6af7e7b3feccf5

      Download Submit

    • memory/436-146-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/436-140-0x0000000000000000-mapping.dmp

      Download

    • memory/436-154-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/436-142-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/436-145-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/1368-147-0x0000000000000000-mapping.dmp

      Download

    • memory/1368-149-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/1368-152-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/1368-155-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/4584-139-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/4584-135-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/4584-153-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/4584-132-0x0000000000000000-mapping.dmp

      Download