92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f

General

Target

92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe
Size

141KB
MD5

e030ff10bd3693b025b36fb2a6923d44
SHA1

3ce3feef6fd20089d6b24cb7920368064f22f220
SHA256

92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f
SHA512

65bc61f6f2ea9ef9cfcaebc7602063246983536eda00a3d86046a6d78b85f050e035b451d88adf1b6b4059aa48d035bbdfabc8e37ed27c63c0487ba6aad43792
SSDEEP

3072:4flOchKvRfVBs9fi57z/gaseA8Sl0Wmacf:4HhqRfV6iBDselV9f

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

1628 1.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HIMYM.DLL	vmprotect
C:\Windows\SysWOW64\HIMYM.DLL	vmprotect

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4752 rundll32.exe

pid	process
4752	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disker = "rundll32.exe C:\\Windows\\system32\\HIMYM.DLL,DW"	rundll32.exe

Drops file in System32 directory 1 IoCs

Processes:

1.exe

description ioc process

File created C:\Windows\SysWOW64\HIMYM.DLL 1.exe
Drops file in Windows directory 1 IoCs

Processes:

92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe

description ioc process

File created C:\Windows\system32drivers\etc\hosts 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HIMYM.DLL	1.exe

description	ioc	process
File created	C:\Windows\system32drivers\etc\hosts	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1.exe

pid	process
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe
1628	1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1.exe

description	pid	process
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe
Token: SeDebugPrivilege	1628	1.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe1.exe

description	pid	process	target process
PID 4532 wrote to memory of 1628	4532	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe	1.exe
PID 4532 wrote to memory of 1628	4532	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe	1.exe
PID 4532 wrote to memory of 1628	4532	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe	1.exe
PID 4532 wrote to memory of 1796	4532	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe	cmd.exe
PID 4532 wrote to memory of 1796	4532	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe	cmd.exe
PID 4532 wrote to memory of 1796	4532	92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe	cmd.exe
PID 1628 wrote to memory of 4752	1628	1.exe	rundll32.exe
PID 1628 wrote to memory of 4752	1628	1.exe	rundll32.exe
PID 1628 wrote to memory of 4752	1628	1.exe	rundll32.exe
PID 1628 wrote to memory of 1060	1628	1.exe	cmd.exe
PID 1628 wrote to memory of 1060	1628	1.exe	cmd.exe
PID 1628 wrote to memory of 1060	1628	1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe
"C:\Users\Admin\AppData\Local\Temp\92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\1.exe
C:\Users\Admin\AppData\Local\Temp\1.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
3⤵
- Loads dropped DLL
- Adds Run key to start application
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe"
2⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
80.1MB

MD5
e96e48358ba1e75e8d24374416d4cd5e

SHA1
623c9f3dd387692c199447171f0d794d48aa5679

SHA256
6440142c67356ef12dba13a6bfc27c6da1a2fc906714b518225a29546f5e9a77

SHA512
f830d06d0c2351e1c632c95dd107c337ee7fca093961f74b037b3138545f0010f4bad588a69f5d68da6972ae78ce7873db111bf717055bbc1036c7db0d11ce2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
80.1MB

MD5
e96e48358ba1e75e8d24374416d4cd5e

SHA1
623c9f3dd387692c199447171f0d794d48aa5679

SHA256
6440142c67356ef12dba13a6bfc27c6da1a2fc906714b518225a29546f5e9a77

SHA512
f830d06d0c2351e1c632c95dd107c337ee7fca093961f74b037b3138545f0010f4bad588a69f5d68da6972ae78ce7873db111bf717055bbc1036c7db0d11ce2f

Download Submit
C:\Windows\SysWOW64\HIMYM.DLL
Filesize
92KB

MD5
4190846c5202983c636476eac5b979aa

SHA1
3bcac44ead53c96124f48f10ee1f1c6b568c0488

SHA256
65c5c4e9908c5a3ddccbc2ed8073276e37bcfbcfe9aa25843e0789c5d88c7dfb

SHA512
d9a621a13195b4958b01e6960b15ee765f811313818a88876a9369a8eccdcd7e66f60c28bd8010d86f1ee9b8109278ef7bba6be4a9a13927cd746b3777adc63b

Download Submit
C:\Windows\SysWOW64\HIMYM.DLL
Filesize
92KB

MD5
4190846c5202983c636476eac5b979aa

SHA1
3bcac44ead53c96124f48f10ee1f1c6b568c0488

SHA256
65c5c4e9908c5a3ddccbc2ed8073276e37bcfbcfe9aa25843e0789c5d88c7dfb

SHA512
d9a621a13195b4958b01e6960b15ee765f811313818a88876a9369a8eccdcd7e66f60c28bd8010d86f1ee9b8109278ef7bba6be4a9a13927cd746b3777adc63b

Download Submit
memory/1060-143-0x0000000000000000-mapping.dmp

Download
memory/1628-138-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1628-132-0x0000000000000000-mapping.dmp

Download
memory/1628-139-0x000000000C260000-0x000000000C29A000-memory.dmp

Filesize
232KB

Download
memory/1628-137-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1628-136-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1628-144-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1796-134-0x0000000000000000-mapping.dmp

Download
memory/4752-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads