81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52

General

Target

81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
Size

426KB
MD5

4c60f145b1f849f1c31d4948280735a4
SHA1

98e77cb1a0df22fee30bdc755a255585cee7be8f
SHA256

81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52
SHA512

33a0a65b0e9537051205a2088bc44323b549afb240534d0319a50c4874bd8d73fed13cf1f5cf592ce952d1b256b4ea40f1a97e63ae00cb0cf24c978c7f13db03
SSDEEP

6144:aw1R8uK7CWmhvAXtAiKkgsaGZ7m/kJKr53+LZRL+9adg5gN+p5J7eEw3/tno:2HA5VGlGnwXC8+5pLeEg/tno

Score

8^/10

evasion trojan vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

Processes:

81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\circlass.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\HidBatt.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\USBXHCI.SYS	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\BTHUSB.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DRIVERS\NDProxy.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\DRIVERS\ramdisk.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\sdstor.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\drivers\ufx01000.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\WUDFRd.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\amdgpio2.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\xboxgip.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DRIVERS\rasacd.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\drivers\kbldfltr.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\umpass.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\percsas3i.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\Synth3dVsc.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\iaStorAVC.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas2i.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\drivers\SpbCx.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\ufxsynopsys.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\hyperkbd.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas3i.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\vms3cap.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\stornvme.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\drivers\WudfPf.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\bcmfn2.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\hidinterrupt.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\SiSRaid2.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\tunnel.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\hidbth.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\isapnp.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\parport.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\serial.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\mvumis.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\bttflt.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\Drivers\msgpioclx.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\nvstor.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\sdbus.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\drivers\tsusbflt.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\UsbHub3.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\wmiacpi.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\amdi2c.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\drivers\applockerfltr.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\USBSTOR.SYS	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\vpci.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\atapi.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DRIVERS\ndistapi.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\AcpiDev.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\ipt.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\system32\DRIVERS\nwifi.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3632-132-0x0000000000400000-0x00000000004B9000-memory.dmp	vmprotect
behavioral2/memory/3632-133-0x0000000000400000-0x00000000004B9000-memory.dmp	vmprotect
behavioral2/memory/3632-135-0x0000000000400000-0x00000000004B9000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

Drops file in System32 directory 6 IoCs

Processes:

81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

pid	process
3632	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
3632	81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe

C:\Users\Admin\AppData\Local\Temp\81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe
"C:\Users\Admin\AppData\Local\Temp\81836f9ecd208c11d37b5cbda9e70263a56d0cca4b539d6bfc128103bab1ea52.exe"
1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3632-132-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3632-133-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3632-135-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads