496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7 | Triage

Submit
Reports

Overview

overview

Static

static

8

MicrosoftE...te.exe

windows7-x64

MicrosoftE...te.exe

windows10-2004-x64

Sharing

General

Target

MicrosoftEdgeUpdate.exe
Size

4.9MB
Sample

230116-blt99sba5x
MD5

8223e55c97c61478aa4230b2ca498a38
SHA1

a42c6d401fbf798806c5fe85c47cc047c189e486
SHA256

496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
SHA512

5a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
SSDEEP

98304:NKB0rS8yY+gIpexlkt2GguS8qth97fOMFz7lFrL8XE:8BaQgGft2hqeh97fOmXlFk

Score

10^/10

discovery evasion exploit vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

MicrosoftEdgeUpdate.exe

Resource

win7-20220901-en

discovery evasion exploit vmprotect

windows7-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

MicrosoftEdgeUpdate.exe

Resource

win10v2004-20221111-en

discovery evasion exploit vmprotect

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  MicrosoftEdgeUpdate.exe
- Size
  
  4.9MB
- MD5
  
  8223e55c97c61478aa4230b2ca498a38
- SHA1
  
  a42c6d401fbf798806c5fe85c47cc047c189e486
- SHA256
  
  496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
- SHA512
  
  5a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
- SSDEEP
  
  98304:NKB0rS8yY+gIpexlkt2GguS8qth97fOMFz7lFrL8XE:8BaQgGft2hqeh97fOmXlFk
Score

10^/10

discovery evasion exploit vmprotect
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

File Permissions Modification

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Tasks

static1

behavioral1

discoveryevasionexploitvmprotect

behavioral2

discoveryevasionexploitvmprotect

© 2018-2024

Terms | Privacy