feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
Size

408KB
MD5

08252eaf125435946783fcbc9874a064
SHA1

e47fe7b0c4dcaf172cfb785ae17f7963046a891d
SHA256

feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9
SHA512

a8329da82ec7e418f4aa108ae11d0d584a8884dd9e6f9ff6c97977000d5e437884b85782dff30fc871c3c4e4ffed64ffac5b4511f5c228df49d3feaf62c3a9c9
SSDEEP

6144:qTzncPRf7XWpbpKSmJ2qL6WsVOKcQwm3LBlKC:gA5Mdhmo6H2cC

Score

8^/10

evasion trojan vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\asyncmac.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\processr.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\VMBusHID.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\BthA2dp.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\rassstp.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\hyperkbd.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\vmbus.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\urscx01000.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\WpdUpFltr.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\atapi.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\vmgencounter.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\iai2c.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\mshidkmdf.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\NetAdapterCx.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\DRIVERS\rasacd.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\parport.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\sdbus.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\appid.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\iaStorV.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\ucx01000.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\vwifibus.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\amdgpio2.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\Drivers\Null.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\SpbCx.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\SmartSAMD.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\usbaudio2.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\vpci.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\1394ohci.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\IndirectKmd.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\megasas.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\MSPQM.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\rasl2tp.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\3ware.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\Drivers\mshwnclx.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\megasas35i.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\umpass.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\kbdhid.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\winnat.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\acpipagr.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\MSTEE.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\percsas3i.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\winmad.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\bthmodem.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\BTHUSB.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\mshidumdf.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\AcpiDev.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\NDKPing.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\hidinterrupt.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\HyperVideo.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\ndisuio.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\drivers\ADP80XX.SYS	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\system32\drivers\qwavedrv.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4332-132-0x0000000000400000-0x00000000004AE000-memory.dmp	vmprotect
behavioral2/memory/4332-133-0x0000000000400000-0x00000000004AE000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4332	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
4332	feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe

C:\Users\Admin\AppData\Local\Temp\feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
"C:\Users\Admin\AppData\Local\Temp\feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe"
1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4332-132-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4332-133-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download