1620726a24a49b48d5cc9aa9a26ff4bbe849a4a583031fb8155ec216ddd591a5

General

Target

tmp.exe
Size

29.4MB
MD5

8ef684ee2f0d30041d4a089f92f4ab06
SHA1

573aaabccc069703bdf9fab9fd31168303495225
SHA256

1620726a24a49b48d5cc9aa9a26ff4bbe849a4a583031fb8155ec216ddd591a5
SHA512

7a429a21b11f4e9d77e22ed9ae25a7b2f09621edc74b19a6e06849df44e5458477d7510e4ef438e2f674bace8d334777dde4823b8006e09f6849944a768e280d
SSDEEP

786432:zlB8NEuBnbj8cJRPVCZGc7Iv5aMMu8lM9mLAsJpUIL7Rl:JBMkTwc7yaMRR9mnJdL7n

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	tmp.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2800-132-0x0000000000400000-0x00000000013E0000-memory.dmp	vmprotect
behavioral2/memory/2800-133-0x0000000000400000-0x00000000013E0000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023184-136.dat	vmprotect
behavioral2/files/0x0007000000023184-137.dat	vmprotect
behavioral2/memory/2356-138-0x0000000000400000-0x00000000013E0000-memory.dmp	vmprotect
behavioral2/memory/2800-139-0x0000000000400000-0x00000000013E0000-memory.dmp	vmprotect
behavioral2/memory/2356-140-0x0000000000400000-0x00000000013E0000-memory.dmp	vmprotect
behavioral2/memory/2356-143-0x0000000000400000-0x00000000013E0000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\A:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2800	tmp.exe
2800	tmp.exe
2356	tmp.exe
2356	tmp.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2800	tmp.exe
2800	tmp.exe
2800	tmp.exe
2800	tmp.exe
2800	tmp.exe
2356	tmp.exe
2356	tmp.exe
2356	tmp.exe
2356	tmp.exe
2356	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2356	2800	tmp.exe	79
PID 2800 wrote to memory of 2356	2800	tmp.exe	79
PID 2800 wrote to memory of 2356	2800	tmp.exe	79

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\»ðÁú´«Ëµ\tmp.exe
  C:\»ðÁú´«Ëµ\tmp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
41B

MD5
fa4a6393f371a289f6b187ba6aaada19

SHA1
84f4f1eedd713c86f97605f7e8a23a1f2d2678a3

SHA256
53ea98bb79bd329140803195f5c46b117986bdeba86f301f9613de657f38b528

SHA512
2c6d8429aa7bfb9b2357c3ef710a5d98cd1cb62f29ba36091ddf4a05fe28cc7b35a4609aa7cd1e1f59350c004e2ab9f1c18cc2506bde92f64d6fa3413e0a0519

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee3be600d9a3cee93b3631c5a8597615

Filesize
11B

MD5
0ad0059a41e8461c75592d5d2a09b822

SHA1
a4626fc3ffe3756258b418b2d72e37dbbad356d5

SHA256
3ee3395d306de139ad06ee9b185b77e60b4203e320ee96799e94746f942de25c

SHA512
707b076e11ba1ef56f5c45708d8e0eef39c6d5a7a3558da0b2b7f441616a63fb9a9d911084c97c17f88410f7b2445e1494a1b89f2a88806c940e8da49ed7c817

Download Submit
C:\»ðÁú´«Ëµ\tmp.exe

Filesize
29.4MB

MD5
8ef684ee2f0d30041d4a089f92f4ab06

SHA1
573aaabccc069703bdf9fab9fd31168303495225

SHA256
1620726a24a49b48d5cc9aa9a26ff4bbe849a4a583031fb8155ec216ddd591a5

SHA512
7a429a21b11f4e9d77e22ed9ae25a7b2f09621edc74b19a6e06849df44e5458477d7510e4ef438e2f674bace8d334777dde4823b8006e09f6849944a768e280d

Download Submit
C:\»ðÁú´«Ëµ\tmp.exe

Filesize
29.4MB

MD5
8ef684ee2f0d30041d4a089f92f4ab06

SHA1
573aaabccc069703bdf9fab9fd31168303495225

SHA256
1620726a24a49b48d5cc9aa9a26ff4bbe849a4a583031fb8155ec216ddd591a5

SHA512
7a429a21b11f4e9d77e22ed9ae25a7b2f09621edc74b19a6e06849df44e5458477d7510e4ef438e2f674bace8d334777dde4823b8006e09f6849944a768e280d

Download Submit
memory/2356-138-0x0000000000400000-0x00000000013E0000-memory.dmp

Filesize
15.9MB

Download
memory/2356-140-0x0000000000400000-0x00000000013E0000-memory.dmp

Filesize
15.9MB

Download
memory/2356-143-0x0000000000400000-0x00000000013E0000-memory.dmp

Filesize
15.9MB

Download
memory/2800-132-0x0000000000400000-0x00000000013E0000-memory.dmp

Filesize
15.9MB

Download
memory/2800-133-0x0000000000400000-0x00000000013E0000-memory.dmp

Filesize
15.9MB

Download
memory/2800-139-0x0000000000400000-0x00000000013E0000-memory.dmp

Filesize
15.9MB

Download

Analysis

Sharing