14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
Size

1.8MB
MD5

b4152f43ee6f842cff2302aefe5eabef
SHA1

24f38f6c202e08ffb39e2d6135c2ec6ed78885fe
SHA256

14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765
SHA512

51b801bbab3bc0501ad0aedd30072714701dce19fe0f84331be3ff743221c015995f819c81d7baa31866184bf9b266990d57ec835488937d07876398cd595b72
SSDEEP

49152:jxv9f3RO2Pmm0/d3rCLokmzIi4xx8q0dYTJ:jbBPmmWr5xMYHo

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3536	Browser.exe
864	mstsc.exe
1336	mstsc.exe

Loads dropped DLL 3 IoCs

pid	Process
3536	Browser.exe
864	mstsc.exe
1336	mstsc.exe

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3244-133-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral2/memory/3244-134-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023234-144.dat	vmprotect
behavioral2/files/0x0006000000023234-143.dat	vmprotect
behavioral2/memory/3244-145-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral2/memory/3536-146-0x0000000064690000-0x0000000065690000-memory.dmp	vmprotect
behavioral2/memory/3244-149-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023243-161.dat	vmprotect
behavioral2/files/0x0006000000023243-162.dat	vmprotect
behavioral2/memory/864-163-0x0000000053E20000-0x0000000054E20000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023243-175.dat	vmprotect
behavioral2/memory/1336-177-0x0000000053E20000-0x0000000054E20000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Browser.exe
File opened (read-only)	\??\U:	Browser.exe
File opened (read-only)	\??\E:	Browser.exe
File opened (read-only)	\??\K:	Browser.exe
File opened (read-only)	\??\M:	Browser.exe
File opened (read-only)	\??\L:	Browser.exe
File opened (read-only)	\??\Q:	Browser.exe
File opened (read-only)	\??\R:	Browser.exe
File opened (read-only)	\??\S:	Browser.exe
File opened (read-only)	\??\X:	Browser.exe
File opened (read-only)	\??\H:	Browser.exe
File opened (read-only)	\??\I:	Browser.exe
File opened (read-only)	\??\J:	Browser.exe
File opened (read-only)	\??\O:	Browser.exe
File opened (read-only)	\??\T:	Browser.exe
File opened (read-only)	\??\W:	Browser.exe
File opened (read-only)	\??\Y:	Browser.exe
File opened (read-only)	\??\Z:	Browser.exe
File opened (read-only)	\??\B:	Browser.exe
File opened (read-only)	\??\G:	Browser.exe
File opened (read-only)	\??\N:	Browser.exe
File opened (read-only)	\??\V:	Browser.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3628	1336	WerFault.exe	93

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
3536	Browser.exe
3536	Browser.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	Browser.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeDebugPrivilege	864	mstsc.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeLoadDriverPrivilege	468	svchost.exe
Token: SeLoadDriverPrivilege	468	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3536	3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	87
PID 3244 wrote to memory of 3536	3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	87
PID 3244 wrote to memory of 3536	3244	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	87
PID 864 wrote to memory of 1336	864	mstsc.exe	93
PID 864 wrote to memory of 1336	864	mstsc.exe	93
PID 864 wrote to memory of 1336	864	mstsc.exe	93

C:\Users\Admin\AppData\Local\Temp\14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
"C:\Users\Admin\AppData\Local\Temp\14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Public\Videos\dDXtu_8\Browser.exe
  C:\Users\Public\Videos\dDXtu_8\\Browser.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Users\Admin\Videos\12B2839A_8\mstsc.exe
C:\Users\Admin\Videos\12B2839A_8\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\Videos\12B2839A_8\mstsc.exe
  C:\Users\Admin\Videos\12B2839A_8\mstsc.exe -acsi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 608
    3⤵
    - Program crash
    PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1336 -ip 1336
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Videos\12B2839A_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
C:\Users\Admin\Videos\12B2839A_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
C:\Users\Admin\Videos\12B2839A_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
C:\Users\Admin\Videos\12B2839A_8\ZP.log

Filesize
148KB

MD5
81c3afd83c9ad4dfe2ef851c8b36776c

SHA1
de120038e0ea1fc4605f87b2d12b5e438455b3df

SHA256
2584fca73c9e414327f23d18b161ddabec47c40f07fa3a9f01143b21df3e77ff

SHA512
479e07b77fb7ee2161ed4776d9a9c2f9dfc63e1f520a5b1365a1f16b83893deb0b41dbc2012d3b5faee6279920517005a20fbdbdbeaf8cfaccecf6eccf9b9a95

Download Submit
C:\Users\Admin\Videos\12B2839A_8\mstsc.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
C:\Users\Admin\Videos\12B2839A_8\mstsc.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
C:\Users\Admin\Videos\12B2839A_8\mstsc.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
C:\Users\Public\Videos\dDXtu_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
C:\Users\Public\Videos\dDXtu_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
C:\Users\Public\Videos\dDXtu_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
C:\Users\Public\Videos\dDXtu_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
C:\Users\Public\Videos\dDXtu_8\ZP.log

Filesize
148KB

MD5
81c3afd83c9ad4dfe2ef851c8b36776c

SHA1
de120038e0ea1fc4605f87b2d12b5e438455b3df

SHA256
2584fca73c9e414327f23d18b161ddabec47c40f07fa3a9f01143b21df3e77ff

SHA512
479e07b77fb7ee2161ed4776d9a9c2f9dfc63e1f520a5b1365a1f16b83893deb0b41dbc2012d3b5faee6279920517005a20fbdbdbeaf8cfaccecf6eccf9b9a95

Download Submit
memory/864-172-0x0000000000C40000-0x0000000000C97000-memory.dmp

Filesize
348KB

Download
memory/864-167-0x0000000000C40000-0x0000000000C97000-memory.dmp

Filesize
348KB

Download
memory/864-170-0x0000000000C40000-0x0000000000C97000-memory.dmp

Filesize
348KB

Download
memory/864-169-0x0000000000C40000-0x0000000000C97000-memory.dmp

Filesize
348KB

Download
memory/864-168-0x0000000000C40000-0x0000000000C97000-memory.dmp

Filesize
348KB

Download
memory/864-163-0x0000000053E20000-0x0000000054E20000-memory.dmp

Filesize
16.0MB

Download
memory/864-174-0x0000000000C40000-0x0000000000C97000-memory.dmp

Filesize
348KB

Download
memory/1336-177-0x0000000053E20000-0x0000000054E20000-memory.dmp

Filesize
16.0MB

Download
memory/1336-180-0x0000000000B90000-0x0000000000BE7000-memory.dmp

Filesize
348KB

Download
memory/1336-181-0x0000000000B90000-0x0000000000BE7000-memory.dmp

Filesize
348KB

Download
memory/3244-134-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/3244-145-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/3244-133-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/3244-149-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/3244-136-0x0000000077000000-0x0000000077001000-memory.dmp

Filesize
4KB

Download
memory/3536-146-0x0000000064690000-0x0000000065690000-memory.dmp

Filesize
16.0MB

Download
memory/3536-171-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-152-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-150-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-176-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-151-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-154-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-153-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-182-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-183-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-184-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download
memory/3536-185-0x00000000033B0000-0x0000000003407000-memory.dmp

Filesize
348KB

Download