d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
Size

428KB
MD5

6fd243c8c52dedb9b6006fa142bdbc8f
SHA1

734d23fd35dfcc5f54e6c4fa46e14d28012c9f3b
SHA256

d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e
SHA512

12763da3f0d0e0353f295caa0789d11743cd206cf586958899b02bb8a6e03b1a7fa38f267654e3fc333c44b233e444bbf08e7bc54d9ba8a4577af9ce72696cdb
SSDEEP

12288:W5qudfAHwI6h6ykXupcrkCBaEnvLDn4MDIH:EflI6h6vtgCB9nPZD0

Score

8^/10

evasion trojan vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\Drivers\UcmUcsiCx.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\Drivers\mshwnclx.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\SpbCx.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\urscx01000.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\WpdUpFltr.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\nvdimm.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\kbldfltr.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\uaspstor.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSSi_I2C.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\qwavedrv.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\vmgencounter.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DRIVERS\scfilter.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\sdstor.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\wmiacpi.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\msgpiowin32.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\NdisImPlatform.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\acpipmi.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\Acx01000.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\usbohci.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\WUDFRd.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DRIVERS\wanarp.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\Drivers\Null.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\stornvme.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\ufx01000.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\vstxraid.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\evbda.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\rasl2tp.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\vmstorfl.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DRIVERS\ndistapi.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DRIVERS\NDProxy.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\vpci.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\hidinterrupt.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\MSPQM.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\processr.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\acpipagr.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\MegaSas2i.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\intelpmax.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\drivers\ndisuio.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\sbp2port.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\BthA2dp.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\buttonconverter.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\percsas3i.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\winmad.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\system32\DRIVERS\nwifi.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\WinUSB.SYS	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\USBSTOR.SYS	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DRIVERS\ndiswan.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\BTHUSB.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\HyperVideo.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\drivers\asyncmac.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2376-132-0x0000000000400000-0x00000000004BA000-memory.dmp	vmprotect
behavioral2/memory/2376-133-0x0000000000400000-0x00000000004BA000-memory.dmp	vmprotect
behavioral2/memory/2376-135-0x0000000000400000-0x00000000004BA000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
2376	d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe

C:\Users\Admin\AppData\Local\Temp\d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe
"C:\Users\Admin\AppData\Local\Temp\d51f890415fd80f644f5cc2d55e559bb7841906e6de3815876c6216d38247d2e.exe"
1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-132-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2376-133-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2376-135-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download