d4bfc6d10803426aa544a6d1b4a31f9d545800178b5a7f8367f30bc9eb415820

Resubmissions

30/08/2023, 14:23

230830-rqlfxsfb2s 7

30/08/2023, 14:22

230830-rp15zsfa9w 7

Analysis

max time kernel
1623s
max time network
1446s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sadio3d.exe
Size

5.4MB
MD5

a5dab1892e8be7aecf1923f41e16b619
SHA1

ceda17ef6ddb899eb9406a1c10eebca902e60f18
SHA256

d4bfc6d10803426aa544a6d1b4a31f9d545800178b5a7f8367f30bc9eb415820
SHA512

14c9563877f0e8ce891ffe8efed6a3252631f7c5abe434b8539102d945f14f8c79476d68919ae6459347cce36718c5eb51f34e9d3bbcccf15b686530dc2eb876
SSDEEP

98304:vjIaXDh6+wOaOlfgLwqxd0Iz3POckkLCTE8o7N1rXILJ0gA2KDRuCEFl/leGb1I:v8aToOzfgUqxLz3mctH7NVyoNDRuCKly

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1084-0-0x00007FF6D2430000-0x00007FF6D2D43000-memory.dmp	vmprotect
behavioral1/memory/1084-4-0x00007FF6D2430000-0x00007FF6D2D43000-memory.dmp	vmprotect
behavioral1/memory/1084-7-0x00007FF6D2430000-0x00007FF6D2D43000-memory.dmp	vmprotect

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{302E8715-B7A7-4A38-99F2-B8ECB4005D7F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1084	sadio3d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1084	sadio3d.exe
1084	sadio3d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1084	sadio3d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4524	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sadio3d.exe
"C:\Users\Admin\AppData\Local\Temp\sadio3d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:840

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu3D51.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
42f9bc2d22f133289d8081696dea6aef

SHA1
46719986d861785ad3b724eaf4d1efe5b93c25ed

SHA256
731aaee03c6c382304b8cd1c23075de4c342fde6aeba80be879e274aeb3a12ea

SHA512
52dd401bc927a3d3147b703cd4b84d9dafd64294540352811ad4efacb233e92feedcfca1666dbd5a50cd74c1e6750ec0b73f63c3e52d851369934e0839407a0f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
7854dba769f39e0fc7231a5431f60e34

SHA1
4685c5e37b2b276ace1b5a8195501ce3f61e0857

SHA256
8cccfc1d51ce2f0c9f2dab2cf4814f7ecaced9b7ee975bc4db68142638e9df29

SHA512
0d404b55f4e5b0b1275ebac10b48c79534dbdb58fa9868c9d563cb38ae344becf49f3ab1598fd13390756396a9092b9dbd6c6d263296d561522cfdedc7a3c939

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a2f39b862597fca4746b068c9b40a7c1

SHA1
aa499d22ff0900db8eb83ab3a8c3b664dda8e047

SHA256
2a47fb1b2c740e8b7384ffd77c3d84a774f75a5a19d9f696fb5b590a82bc0bcd

SHA512
a74ea33aafcac03b303f3c85142866288269bbbf7dd97b8362b541f23635a81d03fbe8fa2c9f39db8717433cf6fd577ee2cbc8b6c96907bcb6600b91e8043079

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
baa49ebd92d51609454a5a0c17a719ae

SHA1
d59ee37bb3f66c5f5089863fd1711d3c8a4bb3cf

SHA256
89495c129a46ebf15d6b1e288dd1714344d6d4ed4872760d6da3df9ce8393448

SHA512
1c7c5a2d09388bbd02b5550d57eeab27970d238520593079712852ff500fd30bead4ff06b5de044b241e6e3f73daf782a833a462d9487360b8cd4b9803b4a0f8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b0d698618970b9232ebb5d41a60fe1e8

SHA1
5dceb386c8a49d12d30569d8fcd251ceba4f06ec

SHA256
a3433e859c858ee5ec9461174eb254b618a95401787e7327032edce545e0994c

SHA512
109cf7a959318c539cc85f7d1dc5f1eede88681070e793acf7178cbf9c1ff4434c5fd446255a15b990b9ad63fa7b178c48b527fdfc87e429f6ef16e0fba6be60

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
69859c4b57631584caf8d3b2f4c6f035

SHA1
70b379e30c23cd8a1a71e11093bdbca381bf2e8e

SHA256
4d8a9f3e3def2045ac2566c85ae0e1e3c7b54132e7ba76277e9642b0674a90e0

SHA512
5c3265464e201f8af434d4f1d333aba084af78daf39f7043b381e8b74201071a325f53bfe76707e0b6ec5b0ac4351121439abb6f0e03a7fe31dfb4b7ad29eb4c

Download Submit
memory/1084-7-0x00007FF6D2430000-0x00007FF6D2D43000-memory.dmp

Filesize
9.1MB

Download
memory/1084-0-0x00007FF6D2430000-0x00007FF6D2D43000-memory.dmp

Filesize
9.1MB

Download
memory/1084-4-0x00007FF6D2430000-0x00007FF6D2D43000-memory.dmp

Filesize
9.1MB

Download
memory/1084-3-0x00007FFC7A380000-0x00007FFC7A382000-memory.dmp

Filesize
8KB

Download
memory/1084-2-0x00007FFC7A370000-0x00007FFC7A372000-memory.dmp

Filesize
8KB

Download
memory/4524-160-0x000002253BF40000-0x000002253BF50000-memory.dmp

Filesize
64KB

Download
memory/4524-176-0x000002253C040000-0x000002253C050000-memory.dmp

Filesize
64KB

Download
memory/4524-192-0x0000022544360000-0x0000022544361000-memory.dmp

Filesize
4KB

Download
memory/4524-194-0x0000022544390000-0x0000022544391000-memory.dmp

Filesize
4KB

Download
memory/4524-195-0x0000022544390000-0x0000022544391000-memory.dmp

Filesize
4KB

Download
memory/4524-196-0x00000225444A0000-0x00000225444A1000-memory.dmp

Filesize
4KB

Download