997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
Size

2.5MB
MD5

e3443af8e6e156a5b64721a62245f217
SHA1

92e531bf3e36f1922e97274bd0a646e0aa4521aa
SHA256

997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d
SHA512

b9d2ab6d6667a8d87bdde20855fd5387c184669f0579e9cc2d4950cc07e967bd7bcb7f45decceff95e486b9f214da62280cbdc7bee7e6d33cf3d1fc988722c62
SSDEEP

49152:FQG1Rpv9pgsxwZWagV5wFQNdYSEpvWpWe0yqKDbj7Ssqt4JMteltCYecD5j4:FD/vxwYOyNWSEpvWT0IDcqVltCxF

Score

8^/10

evasion trojan vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\amdsata.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\Drivers\BrUsbMdm.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\bthmodem.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\nfrd960.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\rdpencdd.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\acpipmi.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\Drivers\BrSerWdm.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\rdpdr.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\sisraid4.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\storvsc.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\synth3dvsc.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\usbprint.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\aliide.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\pciide.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\vms3cap.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\viaide.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\adpahci.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\nvstor.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\umpass.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\appid.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\hidir.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\ipnat.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\sffp_mmc.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\DRIVERS\pacer.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\DRIVERS\b57nd60a.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\iaStorV.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\irenum.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\msdsm.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\serial.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\VMBusHID.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\hcw85cir.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\parport.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\sfloppy.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\DRIVERS\tssecsrv.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\TsUsbGD.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\volmgrx.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\msiscsi.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\hwpolicy.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\pcmcia.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\qwavedrv.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\tdtcp.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\DRIVERS\lltdio.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\kbdhid.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\ql2300.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\SiSRaid2.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\speeder.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\bxvbda.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\DRIVERS\ndisuio.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\Drivers\RDPWD.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\Drivers\NDProxy.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\isapnp.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\MSPCLOCK.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\terminpt.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\usbohci.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\Drivers\secdrv.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\compbatt.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\usbuhci.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\peauth.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\system32\drivers\amdide.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
File opened for modification	C:\Windows\System32\DRIVERS\rasacd.sys	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1720-54-0x0000000000400000-0x00000000009A0000-memory.dmp	vmprotect
behavioral1/memory/1720-57-0x0000000000400000-0x00000000009A0000-memory.dmp	vmprotect
behavioral1/memory/1720-58-0x0000000000400000-0x00000000009A0000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
1720	997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe

C:\Users\Admin\AppData\Local\Temp\997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe
"C:\Users\Admin\AppData\Local\Temp\997ba5652d80f59121e587ec3df9ea6c13b917422a16663e40c26317d7d6882d.exe"
1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1720-56-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1720-57-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1720-58-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download