Overview

overview

8

Static

static

8

fbdaf23034...82.exe

windows7-x64

8

fbdaf23034...82.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbdaf2303420e54eee343ada4a4debca8addd7c8af49c536a27413560245d782.exe

  • Size

    1.3MB

  • MD5

    aac9adcb3be1b04126298549f47a61ed

  • SHA1

    f2de6c733816b7492fe14b793600e51e9e2949d2

  • SHA256

    fbdaf2303420e54eee343ada4a4debca8addd7c8af49c536a27413560245d782

  • SHA512

    f7b0fd1e3bf6c962ca55463f999a93b3e23b9073e833cef65a2aba1bf1f4cab9d8777a09773ad53d7a756c036d4425b5fc42ffe2d3323a83a917b0dc3eb94ea3

  • SSDEEP

    24576:gxcRI1NSSx+6ZQK0EqhShkYwFBXF8IJzYe6t/scHDZEFyoC/MBM4q5BPqDnAZL:gV1PxHiK0EWSwrBRK/scdEEoQMBq5lH

Score
8/10
vmprotect

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbdaf2303420e54eee343ada4a4debca8addd7c8af49c536a27413560245d782.exe
    "C:\Users\Admin\AppData\Local\Temp\fbdaf2303420e54eee343ada4a4debca8addd7c8af49c536a27413560245d782.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\31EA.tmp
      "C:\Users\Admin\AppData\Local\Temp\31EA.tmp"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3341.tmp.bat" "
        3⤵
          PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\322A.tmp.bat" "
        2⤵
        • Deletes itself
        PID:1512
    • C:\Windows\system32\WUU.exe
      C:\Windows\system32\WUU.exe
      1⤵
      • Executes dropped EXE
      PID:1604

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\31EA.tmp
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\31EA.tmp
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\322A.tmp.bat
      Filesize

      306B

      MD5

      6ca51da9aa95c29fc29853d6ff1a5a64

      SHA1

      fbeff33dfa7a5410d912258b0a85f7bc9a24e76b

      SHA256

      b85224282343ddaeb077856f24d89160a1c01bdcec671464d00dc07367c49472

      SHA512

      4cbb6c0861ef2fa02c1205694caa6f9f2eda72fec8a480ebc23c2cb31a05c566c0b21a87e856dd28c9cf82aa12f04564eac77e34829b022e6cb5a4ab6619c16f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3341.tmp.bat
      Filesize

      186B

      MD5

      a0c445a556441e278362417c7442acd3

      SHA1

      17bd29f5779791255d7e50944ce0c62b45bbd732

      SHA256

      f2911095ae095a188b4cdbfc3015ce5a5155904cd18d7b1ff0fb597e4e9e9ce8

      SHA512

      4f8284ac7fe36ba72aa0d69a256b19e036be1f2774853fc017a3065260d78f3e0118ff6cd3268a891a158aa102cca2f5f43f7f79835bc4984fc8c7f588d5c783

      Download Submit
    • C:\Windows\System32\WUU.exe
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\31EA.tmp
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\31EA.tmp
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • \Windows\System32\WUU.exe
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • \Windows\System32\WUU.exe
      Filesize

      309KB

      MD5

      d431aca4af67918e4b98ae9123e2d7ea

      SHA1

      964c9cd02f7ccfa538237197a14d3c7de56cf8ed

      SHA256

      bf1519788b803625bc1c420690e4032c139b0c28450e4e823f464e431d974969

      SHA512

      66637426153b14afc8068c2b11e6aa500cb1b6556ec4b0ac4f3460f497be7e1b0ee773129b44159938f8b516225d5efe478899b2e15e00949a838e9ff84dd91f

      Download Submit
    • memory/1512-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1588-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1724-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1724-64-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1832-54-0x00000000751A1000-0x00000000751A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1832-67-0x0000000000D50000-0x0000000000EA3000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1832-55-0x0000000000D50000-0x0000000000EA3000-memory.dmp
      Filesize

      1.3MB

      Download