29e73739d0fadc537e56f8657c4b30ee9d1b3966b5ddaac12afb4b18a7acbd87 | Triage

Submit
Reports

Overview

overview

7

Static

static

7

Device/Har...68.exe

windows7-x64

7

Device/Har...68.exe

windows10-2004-x64

7

Sharing

General

Target

00031-00068.cap
Size

3.2MB
Sample

230329-fl23bsgd7x
MD5

5b90d9bfcf283f41398d639014b2a276
SHA1

83be72ca78162b7e9438c956827354147089f2a6
SHA256

29e73739d0fadc537e56f8657c4b30ee9d1b3966b5ddaac12afb4b18a7acbd87
SHA512

c1a2b0f9a400ddccee5e3529ad77b2f643d29a1eeae076c95ef78488a3bbd2158a74221b4a001f57b04ca2abf2394ff182f71a0836afc12825cd8212c9d61c2f
SSDEEP

98304:jPN4gfTSEzxvTv284GyoBViMY9J13y1qV50:bT9xrO8Tji/1iYA

Score

7^/10

discovery vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Device/HarddiskVolume5/Program Files/Tally.ERP9/capsules/00031-00068.exe

Resource

win7-20230220-en

discovery vmprotect

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Device/HarddiskVolume5/Program Files/Tally.ERP9/capsules/00031-00068.exe

Resource

win10v2004-20230220-en

discovery vmprotect

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Targets

- Target
  
  Device/HarddiskVolume5/Program Files/Tally.ERP9/capsules/00031-00068.cap
- Size
  
  3.6MB
- MD5
  
  73e86a2310340e627199d9f5748dabbe
- SHA1
  
  d1a85f5b52f5dce7e2dcb14bf18f70ca9674adaa
- SHA256
  
  a166a85213b4ba76d2e76a4ad31ce9603d86df64e86db6eaf716dfabbf8d4a1b
- SHA512
  
  a6cf64fb80e4b9f5ee8f5f296673c3fa829fefdd692fe1a7ed01a0334998d49f52ca142f8088b63889b0d29b0fbbcb5bbff47adf2778c09ea99156dc4ff61238
- SSDEEP
  
  98304:XtfzmCctEWybcSJSLABLMT3bqS88xQFIiyh3Azye0A:Xt7n2pNSHdrgiDzH0A
Score

7^/10

discovery vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

discoveryvmprotect

behavioral2

discoveryvmprotect

© 2018-2024

Terms | Privacy