Overview

overview

8

Static

static

8

640ca50664...13.exe

windows7-x64

8

640ca50664...13.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    127s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    640ca5066401e717118f19e5e471ba8832d87e900205d8e5d6d10a53da51a913.exe

  • Size

    4.3MB

  • MD5

    f7dbf6be3fc951697b713a286f4a6c48

  • SHA1

    5b3eb15fefa4d8b546aa2987bcf36fcab901ae55

  • SHA256

    640ca5066401e717118f19e5e471ba8832d87e900205d8e5d6d10a53da51a913

  • SHA512

    340fde9e9c16eb9fe374930f6f247b4662ff1b2c20b10a03d093fad497b2367512d1908dbab9d790f86b2d4b8904950eef8d8de214626cab467c0c0a66a56477

  • SSDEEP

    49152:PSvd6wMpY+mCvZhCCuLHy44COCVTVvoNVQCOeAYjLpT465SDEk2YBC3iMcoFntAe:+6wMa+5CCOqnDJ1jt86Qn26F+l/vw

Score
8/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\640ca5066401e717118f19e5e471ba8832d87e900205d8e5d6d10a53da51a913.exe
    "C:\Users\Admin\AppData\Local\Temp\640ca5066401e717118f19e5e471ba8832d87e900205d8e5d6d10a53da51a913.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.jdcqg.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
    Filesize

    94KB

    MD5

    255960fac5e045e8a4127bd0b3d285ed

    SHA1

    aeaefb341069bc2d81f5a3876f7f73dc82822695

    SHA256

    e57833724aaff9f4f5cb46933651c7ae7378181866a9e6acdd83e6457db7446b

    SHA512

    72c24a00503e433dc3e0cfb2c704a33eed01ab286b3a87c697776e8883701ae6f4bfad556de5df2eb0053cc678ac161b8b09591a24e9694ae626d66e94e6e6b5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3KBVOAQY.txt
    Filesize

    603B

    MD5

    c66b9a752432a7be5b75419a21a85660

    SHA1

    412869adcf5c88c22310ef8ac6a3c4520b7854dd

    SHA256

    ba767ecec110e45353170fe310f274620a479828d92942ce5e8515f04a37765a

    SHA512

    4e0057d0d3d5d70a1034c3adbda0b5eda5d5b52b83cc14df0015c17b490a9ff729ca00742e2a2642b1659311da9002084f760365a65c5e7ed5712b40b96b87c6

    Download Submit
  • memory/1992-54-0x0000000074F01000-0x0000000074F03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-55-0x0000000000820000-0x00000000010FB000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1992-57-0x0000000000820000-0x00000000010FB000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1992-58-0x0000000000820000-0x00000000010FB000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1992-60-0x0000000000810000-0x0000000000820000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1992-62-0x0000000000810000-0x0000000000820000-memory.dmp
    Filesize

    64KB

    Download