7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3 | Triage

Submit
Reports

Overview

overview

8

Static

static

8

7d99e857ae...b3.exe

windows7-x64

8

7d99e857ae...b3.exe

windows10-2004-x64

8

Sharing

General

Target

7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3
Size

1.7MB
Sample

221126-hxga4sea9v
MD5

dc98d9864186ba12b3425506b6eec54c
SHA1

0d417d91c749863ffa1531da5f6bf69f8a76bc8a
SHA256

7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3
SHA512

a76da9dbffe0847f4ffda535c5bb321c3c3d5372d20001f83748a14c793129697aeb9446343d8fc1f8dd52419d18d58c1e2226203a527e97f4ee97bcc806da45
SSDEEP

49152:SiT6NsEa6AWkG0xOwqAA1Y/O7868zHfsN:SiGNsmfrKO868z/u

Score

8^/10

evasion persistence upx vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3.exe

Resource

win7-20220901-en

evasion persistence upx vmprotect

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3.exe

Resource

win10v2004-20220812-en

evasion persistence upx vmprotect

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3
- Size
  
  1.7MB
- MD5
  
  dc98d9864186ba12b3425506b6eec54c
- SHA1
  
  0d417d91c749863ffa1531da5f6bf69f8a76bc8a
- SHA256
  
  7d99e857ae2a2d0facdbdf1ee59346270aedbde4ed7d52c99dcf18a1b0213fb3
- SHA512
  
  a76da9dbffe0847f4ffda535c5bb321c3c3d5372d20001f83748a14c793129697aeb9446343d8fc1f8dd52419d18d58c1e2226203a527e97f4ee97bcc806da45
- SSDEEP
  
  49152:SiT6NsEa6AWkG0xOwqAA1Y/O7868zHfsN:SiGNsmfrKO868z/u
Score

8^/10

evasion persistence upx vmprotect
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistenceupxvmprotect

behavioral2

evasionpersistenceupxvmprotect

© 2018-2024

Terms | Privacy