4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Size

1.7MB
MD5

8c03064bfdf80875a32f310192d5f30a
SHA1

2306073618f2a01956abd586e4af0d71a52f8964
SHA256

4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44
SHA512

7a075f0c3bae55d13732d9535f91f5ef898e4592995bf7cdbe6b4aa50e59f3e52fac6a8263530d3e19e2bbb5df157be8d81e4c8b7da181b7207d3a00b76370c7
SSDEEP

24576:wjJ4io/BnbW4DclkK3iVp7XNdU5EC55XoPO+d6RfikoOLE2vpD0SVXs/J/oPDi0j:aoZaEc2K3otXNWiC5xoWekV1vVf+Z+h

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1648	windows.exe

Loads dropped DLL 7 IoCs

pid	Process
1648	windows.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000016244-102.dat	vmprotect
behavioral1/files/0x0006000000016244-101.dat	vmprotect
behavioral1/memory/1648-103-0x00000000751F0000-0x000000007526D000-memory.dmp	vmprotect
behavioral1/memory/1648-104-0x00000000751F0000-0x000000007526D000-memory.dmp	vmprotect
behavioral1/files/0x0006000000016244-110.dat	vmprotect
behavioral1/memory/1648-113-0x00000000751F0000-0x000000007526D000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2008	1648	WerFault.exe	45

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
772	ipconfig.exe
1956	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2912	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1648	windows.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Token: SeImpersonatePrivilege	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Token: SeDebugPrivilege	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Token: SeImpersonatePrivilege	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Token: SeDebugPrivilege	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Token: SeImpersonatePrivilege	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
Token: SeDebugPrivilege	2912	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3064	hh.exe
3064	hh.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 772	324	cmd.exe	34
PID 324 wrote to memory of 772	324	cmd.exe	34
PID 324 wrote to memory of 772	324	cmd.exe	34
PID 1328 wrote to memory of 3064	1328	cmd.exe	38
PID 1328 wrote to memory of 3064	1328	cmd.exe	38
PID 1328 wrote to memory of 3064	1328	cmd.exe	38
PID 2920 wrote to memory of 2244	2920	cmd.exe	41
PID 2920 wrote to memory of 2244	2920	cmd.exe	41
PID 2920 wrote to memory of 2244	2920	cmd.exe	41
PID 2920 wrote to memory of 1956	2920	cmd.exe	42
PID 2920 wrote to memory of 1956	2920	cmd.exe	42
PID 2920 wrote to memory of 1956	2920	cmd.exe	42
PID 2244 wrote to memory of 1648	2244	cmd.exe	45
PID 2244 wrote to memory of 1648	2244	cmd.exe	45
PID 2244 wrote to memory of 1648	2244	cmd.exe	45
PID 2244 wrote to memory of 1648	2244	cmd.exe	45
PID 1648 wrote to memory of 2008	1648	windows.exe	46
PID 1648 wrote to memory of 2008	1648	windows.exe	46
PID 1648 wrote to memory of 2008	1648	windows.exe	46
PID 1648 wrote to memory of 2008	1648	windows.exe	46
PID 760 wrote to memory of 2912	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe	47
PID 760 wrote to memory of 2912	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe	47
PID 760 wrote to memory of 2912	760	4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe	47

C:\Users\Admin\AppData\Local\Temp\4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe
"C:\Users\Admin\AppData\Local\Temp\4393ee45fcc34d3a7686cfb1793af4f3271ace70fc5bc2b65ae0940cc25acd44.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\system32\taskkill.exe
  taskkill /f /im hh.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2912

C:\Windows\system32\cmd.exe
cmd /c start /min ipconfig /release
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:772

C:\Windows\system32\cmd.exe
cmd /c start /min C:\Users\Public\Documents\Help.chm
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\hh.exe
  "C:\Windows\hh.exe" C:\Users\Public\Documents\Help.chm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3064

C:\Windows\system32\cmd.exe
cmd /c start /min cmd /c start /min C:\Users\Public\Documents\windows.exe &&start /min ipconfig /renew
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\system32\cmd.exe
  cmd /c start /min C:\Users\Public\Documents\windows.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Public\Documents\windows.exe
    C:\Users\Public\Documents\windows.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:2008
- C:\Windows\system32\ipconfig.exe
  ipconfig /renew
  2⤵
  - Gathers network information
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Help.chm

Filesize
20KB

MD5
3d52d0dee7b6414d3e8a3c566be5c93b

SHA1
b195b0bc37670a2c563a7953d3281d33a44b871e

SHA256
82f32ee4cd5121c9950ec1354355e991c5e3d4e749e6636cd267468857536783

SHA512
ccd9a82f9c114927453af13b7d54cb26e5a30b6d40396f00bb0d4633827ae4fef1b179b110134d4e727846f217ec64a9eb20b99b542eebc64fef463f79dc205b

Download Submit
C:\Users\Public\Documents\popo_cef.dll

Filesize
313KB

MD5
a54b312616275fe68b85b2f83806cf2d

SHA1
b2e916111f765f72e68be6c9528712dc5a1869ec

SHA256
58d494c2a150bda1961dce9c5ef879c66ed9d7df46dcaa3609daf832eb66f140

SHA512
83325f3e671ee3716723e04c4e9cb9981c070be8440f042bcee6d9c84961f034cc2d79d94a92fbc34547de53c98f800ac9b95f46d1b8684234bb4b3cffa1010a

Download Submit
C:\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
C:\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
\Users\Public\Documents\popo_cef.dll

Filesize
313KB

MD5
a54b312616275fe68b85b2f83806cf2d

SHA1
b2e916111f765f72e68be6c9528712dc5a1869ec

SHA256
58d494c2a150bda1961dce9c5ef879c66ed9d7df46dcaa3609daf832eb66f140

SHA512
83325f3e671ee3716723e04c4e9cb9981c070be8440f042bcee6d9c84961f034cc2d79d94a92fbc34547de53c98f800ac9b95f46d1b8684234bb4b3cffa1010a

Download Submit
\Users\Public\Documents\popo_cef.dll

Filesize
313KB

MD5
a54b312616275fe68b85b2f83806cf2d

SHA1
b2e916111f765f72e68be6c9528712dc5a1869ec

SHA256
58d494c2a150bda1961dce9c5ef879c66ed9d7df46dcaa3609daf832eb66f140

SHA512
83325f3e671ee3716723e04c4e9cb9981c070be8440f042bcee6d9c84961f034cc2d79d94a92fbc34547de53c98f800ac9b95f46d1b8684234bb4b3cffa1010a

Download Submit
\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
\Users\Public\Documents\windows.exe

Filesize
485KB

MD5
5a6b06efbaa4b3b5aed5faedffba7c62

SHA1
6f0909f1ea1126b9eb4805fe464523ae216d97e1

SHA256
e9def0635dab39185c3a4e15338676f4593474aee04b32b9df9da13c479ef383

SHA512
2498da4bec53c28a50f9432e3e53f6d01b75a5fb7b36c9bd55d55401266129c6fe30124bda5677fa490b8c0a8c03ce3bd71d760e0d32082b7674591ce5c48475

Download Submit
memory/760-73-0x000000013FAE0000-0x000000013FDB6000-memory.dmp

Filesize
2.8MB

Download
memory/760-54-0x000000013FAE0000-0x000000013FDB6000-memory.dmp

Filesize
2.8MB

Download
memory/760-55-0x000000013FAE0000-0x000000013FDB6000-memory.dmp

Filesize
2.8MB

Download
memory/760-112-0x000000013FAE0000-0x000000013FDB6000-memory.dmp

Filesize
2.8MB

Download
memory/1648-103-0x00000000751F0000-0x000000007526D000-memory.dmp

Filesize
500KB

Download
memory/1648-104-0x00000000751F0000-0x000000007526D000-memory.dmp

Filesize
500KB

Download
memory/1648-113-0x00000000751F0000-0x000000007526D000-memory.dmp

Filesize
500KB

Download