ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b | Triage

Submit
Reports

Overview

overview

8

Static

static

8

ede707e9ac...6b.exe

windows7-x64

8

ede707e9ac...6b.exe

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

Target

ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b
Size

156KB
Sample

221204-q92ftaab3y
MD5

3f17f63a227b16630e2396fef16144be
SHA1

204a376e352ca4e698dd366ecb261efa347db3be
SHA256

ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b
SHA512

d99a47398dd640a85d42fd3f832798a0654a7bb6357bc1a85977936f62838fe750ae1d1fc2dc20d0b9362393a35084203a6a0ee2645d4a8ace2920845d1a9fbc
SSDEEP

3072:ebZQ7MmKd2DvUrJQArxjnoxDAnGbasa0m5QwNoOnGjWuD:eb6HI2DvyZFjnoVAn0i5QwNoOG

Score

8^/10

bootkit persistence vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b.exe

Resource

win7-20220812-en

bootkit persistence vmprotect

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b.exe

Resource

win10v2004-20220812-en

bootkit persistence vmprotect

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b
- Size
  
  156KB
- MD5
  
  3f17f63a227b16630e2396fef16144be
- SHA1
  
  204a376e352ca4e698dd366ecb261efa347db3be
- SHA256
  
  ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b
- SHA512
  
  d99a47398dd640a85d42fd3f832798a0654a7bb6357bc1a85977936f62838fe750ae1d1fc2dc20d0b9362393a35084203a6a0ee2645d4a8ace2920845d1a9fbc
- SSDEEP
  
  3072:ebZQ7MmKd2DvUrJQArxjnoxDAnGbasa0m5QwNoOnGjWuD:eb6HI2DvyZFjnoVAn0i5QwNoOG
Score

8^/10

bootkit persistence vmprotect
- Drops file in Drivers directory
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitpersistencevmprotect

behavioral2

bootkitpersistencevmprotect

© 2018-2025

Terms | Privacy