Overview

overview

7

Static

static

7

tax2.exe

windows7-x64

7

tax2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/08/2023, 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tax2.exe

  • Size

    9.4MB

  • MD5

    1d0ba5029590e6d2b74b7e5fab8df1a8

  • SHA1

    82bfe6dd1348411b248bcd9df87d7701e5f36070

  • SHA256

    e82621503a51dbb8986725217c2dd391df39711e6ccbbb68d93eb8df1e3a5c18

  • SHA512

    bc94e999a15fdb54eb72137894c09039081a3b92cdaa1f6a1785754ef65f6810222ba8b8adf1e5cb18ed71f4ac760347b8ddca24abed520b4b0ef7f820d37592

  • SSDEEP

    196608:NbVhMIVoOezLknhHslZUKsXO72JBZdAahL1FHvmvqUl6trJB:hVhMg8ahHB16aFHvgqy6trJB

Score
7/10
themidavmprotect

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • VMProtect packed file 14 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tax2.exe
    "C:\Users\Admin\AppData\Local\Temp\tax2.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      2⤵
        PID:4544
      • C:\Users\Admin\AppData\Local\Temp\tax2.exe
        PECMD**pecmd-cmd* PUTF -dd -skipb=5125120 -len=4697418 "C:\Users\Admin\AppData\Local\Temp\~8155497709657768278.tmp",,C:\Users\Admin\AppData\Local\Temp\tax2.exe
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Users\Admin\AppData\Local\Temp\~3436132241627511610~\sg.tmp
        7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~8155497709657768278.tmp" -y -aos -o"C:\Program Files (x86)\Microsoft Silverlighte" -psMx8I9DtD9bmbxpmTWuHxRmwhZXq0iv7TqkKXpWcSTURDdZqEQVO13x
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Program Files (x86)\Microsoft Silverlighte\medge.exe
        "C:\Program Files (x86)\Microsoft Silverlighte\medge.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll
      Filesize

      832KB

      MD5

      56d6cfe8df69e0caf27ea087db63b716

      SHA1

      5794014ddec2adfe6917cc18a878d977a928477d

      SHA256

      4102a0c9118c27f5ebb282224a8f85f7a584f80180c0e6c2b87663c5b1873b4c

      SHA512

      9f7282de1be48f17c3f5922a61a4582cb9e766bae83d073573fdb1591ccb241416855bf929be4c43524a635158d08094ffd275894a3234c1a0c13807769cef06

      Download Submit

    • C:\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll
      Filesize

      832KB

      MD5

      56d6cfe8df69e0caf27ea087db63b716

      SHA1

      5794014ddec2adfe6917cc18a878d977a928477d

      SHA256

      4102a0c9118c27f5ebb282224a8f85f7a584f80180c0e6c2b87663c5b1873b4c

      SHA512

      9f7282de1be48f17c3f5922a61a4582cb9e766bae83d073573fdb1591ccb241416855bf929be4c43524a635158d08094ffd275894a3234c1a0c13807769cef06

      Download Submit

    • C:\Program Files (x86)\Microsoft Silverlighte\medge.exe
      Filesize

      77KB

      MD5

      b830cd1b49bd31bcdb6192c20cf0b141

      SHA1

      b9629fdd735956772e9a3ceedcdb829bba6f8a43

      SHA256

      21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

      SHA512

      0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

      Download Submit

    • C:\Program Files (x86)\Microsoft Silverlighte\medge.exe
      Filesize

      77KB

      MD5

      b830cd1b49bd31bcdb6192c20cf0b141

      SHA1

      b9629fdd735956772e9a3ceedcdb829bba6f8a43

      SHA256

      21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

      SHA512

      0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

      Download Submit

    • C:\Program Files (x86)\Microsoft Silverlighte\xir.exe
      Filesize

      3.8MB

      MD5

      aba4ffbb5ac39a5225770f729aac4a1f

      SHA1

      1a951b09feb042c384af679b045b32f9a736f492

      SHA256

      5c061bfb44d8e7c50b82fc926aca9f268dfe2741107c3b3f0cab7a4ad72cceeb

      SHA512

      1e5b9b97aaa657b463c06498b4f51bfd81ea7f78297206925485f8a79c65dcccb29e3b7059640bf7460b1997d024d3305c9b1b150260e78ab6b48ebbae7f9b98

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~3436132241627511610~\sg.tmp
      Filesize

      1.1MB

      MD5

      8a36dcd25ae8543d26b0a99b7d48864a

      SHA1

      72581de60cedf59b1b932f6201bafc7cb02bb56e

      SHA256

      b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531

      SHA512

      26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~8155497709657768278.tmp
      Filesize

      4.5MB

      MD5

      a3dff8a7b8e0a9ba788d44593c994ab1

      SHA1

      b5acda93a69a572f6a6400bb3b79662b17795db8

      SHA256

      f356f0a1a59f60b97e3d382716dde5cd43c0a560f800e0ed702ff699821fa9b4

      SHA512

      53154b5678871542047e37c2ad63b6c5d68aaf6d2f1260d907e1866b3650e7e24521b90453ce3f89b56e15902603675cf78b35c9a9271154b6989e8b3479390b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~8155497709657768278.tmp
      Filesize

      4.5MB

      MD5

      a3dff8a7b8e0a9ba788d44593c994ab1

      SHA1

      b5acda93a69a572f6a6400bb3b79662b17795db8

      SHA256

      f356f0a1a59f60b97e3d382716dde5cd43c0a560f800e0ed702ff699821fa9b4

      SHA512

      53154b5678871542047e37c2ad63b6c5d68aaf6d2f1260d907e1866b3650e7e24521b90453ce3f89b56e15902603675cf78b35c9a9271154b6989e8b3479390b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~~6773447355827174452.tmp
      Filesize

      227B

      MD5

      5f0b14d5e396223c43d7cc219b9509b2

      SHA1

      dac67af74c8288b6ac6f5105b3020632a026c060

      SHA256

      7e335f666fb1a6fe38ae76978155c67d2a1fa21cc05cf7e442feeda3adb6c63b

      SHA512

      0ff39c3f59159099ac4e612d141a93f9398aae9bdcae509cd56bbccf82aff2c93ce03e8dad647353ff42b9607934cae31b777fdf79605e5796fe029cc737c1ff

      Download Submit

    • memory/1016-149-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/1016-146-0x00007FFD2B690000-0x00007FFD2B885000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1016-148-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/1016-150-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/1016-152-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/1016-153-0x00007FFD2B690000-0x00007FFD2B885000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1016-147-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/1016-145-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-161-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-133-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-138-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-137-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-136-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-135-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-134-0x00007FFD2B690000-0x00007FFD2B885000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3164-7744-0x0000000140000000-0x0000000140BB1000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/3164-180-0x00007FFD2B690000-0x00007FFD2B885000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3408-177-0x0000000075F40000-0x0000000076155000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3408-13251-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-4052-0x0000000077180000-0x0000000077320000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3408-6061-0x00000000751F0000-0x000000007526A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3408-175-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13247-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13248-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13250-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13249-0x0000000002740000-0x0000000002840000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3408-176-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13252-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13253-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13254-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13255-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13256-0x0000000002740000-0x0000000002840000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3408-13258-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3408-13259-0x0000000002740000-0x0000000002840000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3408-13260-0x0000000002740000-0x0000000002840000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3408-13273-0x0000000010000000-0x00000000101C7000-memory.dmp

      Filesize

      1.8MB

      Download