4b6fd5e0d515036e1c5569bbb357f5df479dbd563bc00a65f5508778b359c96d

General

Target

목도서버 접속기v0.02.exe
Size

1.2MB
MD5

6a7bbe37cf4addb564d1100dd37443c4
SHA1

e2a15089713c7535072929ee0ee933d67cdda9bd
SHA256

4b6fd5e0d515036e1c5569bbb357f5df479dbd563bc00a65f5508778b359c96d
SHA512

5bd2bcce0c6a3a851cb31448329866790c7e4f27be949ed64a7acbc49f6e435ddb86ca1f5080ff8b557ff04143e2906923fdc13487c8a83ceed52a4127b91c4f
SSDEEP

24576:ph3F79O4Sr0HwN4K7ttXhkZwYlpMWrZkeM0jOipttdJIp:pPyr0Hw3tvKrMWrZkTb0/

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1376-1-0x00000000011D0000-0x00000000013C4000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
2596	powershell.exe
2836	powershell.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe
1376	목도서버 접속기v0.02.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	목도서버 접속기v0.02.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2836	1376	목도서버 접속기v0.02.exe	28
PID 1376 wrote to memory of 2836	1376	목도서버 접속기v0.02.exe	28
PID 1376 wrote to memory of 2836	1376	목도서버 접속기v0.02.exe	28
PID 1376 wrote to memory of 2836	1376	목도서버 접속기v0.02.exe	28
PID 1376 wrote to memory of 2596	1376	목도서버 접속기v0.02.exe	29
PID 1376 wrote to memory of 2596	1376	목도서버 접속기v0.02.exe	29
PID 1376 wrote to memory of 2596	1376	목도서버 접속기v0.02.exe	29
PID 1376 wrote to memory of 2596	1376	목도서버 접속기v0.02.exe	29

C:\Users\Admin\AppData\Local\Temp\목도서버 접속기v0.02.exe
"C:\Users\Admin\AppData\Local\Temp\목도서버 접속기v0.02.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionExtension 'exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionProcess 'chome.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WGLVS6VYUTQOG239UITC.temp

Filesize
7KB

MD5
4763b9680b2492a3dc4c50737f506d34

SHA1
34f7de0a93c1835762269df89bb12fd378b49a03

SHA256
ce6ef596f7e5f5ae95110f4647564330faee2795c494a9f5d72a70c49930c2dd

SHA512
abf64d7734b97064fb94e488de6fac26a2ec7a817caa0972340f9cbd83da93048a24044d2aed230fd5fa049538e6a6eed246bda17a46a5d85d7304787d6e5865

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4763b9680b2492a3dc4c50737f506d34

SHA1
34f7de0a93c1835762269df89bb12fd378b49a03

SHA256
ce6ef596f7e5f5ae95110f4647564330faee2795c494a9f5d72a70c49930c2dd

SHA512
abf64d7734b97064fb94e488de6fac26a2ec7a817caa0972340f9cbd83da93048a24044d2aed230fd5fa049538e6a6eed246bda17a46a5d85d7304787d6e5865

Download Submit
memory/1376-18-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1376-1-0x00000000011D0000-0x00000000013C4000-memory.dmp

Filesize
2.0MB

Download
memory/1376-2-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1376-3-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1376-0-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/1376-20-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1376-21-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1376-27-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1376-15-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-28-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-25-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-16-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download
memory/2596-23-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-12-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-11-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-22-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-19-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2836-24-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-17-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2836-26-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2836-14-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-13-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2836-29-0x000000006EF00000-0x000000006F4AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing