74d63f658c7d76570d226e2f5535ebe18b33fa1696653ce520810c14511b0266

Analysis

max time kernel
51s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/06/2023, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

5.3MB
MD5

cb77eac7737661d48dfedbccd07e0d95
SHA1

ddb0c70e122a5970b76ab3e62aafa601a8326f51
SHA256

74d63f658c7d76570d226e2f5535ebe18b33fa1696653ce520810c14511b0266
SHA512

79cc356fc099a5c8b317bd2ff8e9e7703e49e6a873cafdf7fef8bef0169d4250686f4ec93b71b873a9682424225ef5e291585e444b663e2390511a498183c588
SSDEEP

98304:fZjbxmUu9NHQZKgVpQhRsuQOfAssiYD5XrEmZ5GMreeb8KJqfNLq6VqGjGt:RjbxfXZKJhlQhJiYrP5NiebsNBVqGS

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1316-57-0x000000013F9E0000-0x0000000140320000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe
1316	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1316	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\shellcode.bin

Filesize
300KB

MD5
a40a214db11296040db96cdfd3969e08

SHA1
f79b6b66ba9366f2e3b4bdef53191e79c122f5bb

SHA256
185c9786657c6d08c7e4eb259f5ead74093b1d9191758a51203c528cf5a9fa2d

SHA512
90500ad6b261335dc70a78b6efa2ad4016a299b5d9aad582e28f306098b7b03d6b2e02b26baab9fd417bf20517147e715a65393089b168c6e27c8053d927ea92

Download Submit
memory/1316-55-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/1316-54-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/1316-56-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/1316-57-0x000000013F9E0000-0x0000000140320000-memory.dmp

Filesize
9.2MB

Download
memory/1316-66-0x0000000002080000-0x00000000020CC000-memory.dmp

Filesize
304KB

Download
memory/1316-67-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1316-73-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1316-74-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1316-76-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1316-77-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download