Overview

overview

10

Static

static

7

999396ef65...73.exe

windows7-x64

10

999396ef65...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2023, 10:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    999396ef653e77f7fd6ef685fc7ca54de66c19b39e17a5986bfd99130a03b673.exe

  • Size

    715KB

  • MD5

    9624fcdfbe8cc7b9525ba83e88432c37

  • SHA1

    504f631044accfd8037b151300d3c2675bfca7c1

  • SHA256

    999396ef653e77f7fd6ef685fc7ca54de66c19b39e17a5986bfd99130a03b673

  • SHA512

    7ff20f1592af1afc9bf04d76866e3672986a761b63ee651137ebd2047ef9af71faa7b277c3fedb5254e5af102db86bcf916018558911ca7788f9e713efe05210

  • SSDEEP

    12288:E2hWqY6jkFzcBZV4JiNSzYElBmu6i8B+MdTS3PgF9N1EXLTMZ3xFSpiOoF/4AiqT:EKLMeZKJLXOi8B+3c9XULAZhFSAFF/Ga

Score
10/10
vmprotect

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:484
      • C:\Users\Admin\AppData\Local\Temp\mncct.exe
        C:\Users\Admin\AppData\Local\Temp\mncct.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
    • C:\Users\Admin\AppData\Local\Temp\999396ef653e77f7fd6ef685fc7ca54de66c19b39e17a5986bfd99130a03b673.exe
      "C:\Users\Admin\AppData\Local\Temp\999396ef653e77f7fd6ef685fc7ca54de66c19b39e17a5986bfd99130a03b673.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\999396ef653e77f7fd6ef685fc7ca54de66c19b39e17a5986bfd99130a03b673.exe"
        2⤵
        • Deletes itself
        PID:2708

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\mncct.exe
            Filesize

            1.1MB

            MD5

            a03f9e167ade17c57fd44c4648e3f18f

            SHA1

            b93e9cfa28c7c3cfe45463826a868c8521f9d259

            SHA256

            cc20eab9f678fabf13e3b8f431e52482fef4c0dee23a8ae8da157d37e068e76a

            SHA512

            03663ef0ce7d6c468d41216c2e14f361ec20b95ac8315b09a1d9f169fdfc6a9bab7fa6fa0ac3526a19b723654556f76f9d9802dfc82f85329b058c5fd46c74ec

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Checker_ABCD1000.dll
            Filesize

            805KB

            MD5

            821669b2f2722151a7c24bcfea419f73

            SHA1

            aa2d6b1d5e3be59b2f2b6a9ec73a34f9eeca3128

            SHA256

            4af1afc73a541b09a801fa824442155a953ab432c42ebe1b6fcc34a684e34079

            SHA512

            bd4f489d1cc1b65f89dae7d3151273a6cd53093e5dd870d6df71cb118d9a91295bd3aeb8757abcb73d2868b1a93960ad59649dcc0d9d38cd44d83f8e3a66249e

            Download Submit

          • \Users\Admin\AppData\Local\Temp\mncct.exe
            Filesize

            1.1MB

            MD5

            a03f9e167ade17c57fd44c4648e3f18f

            SHA1

            b93e9cfa28c7c3cfe45463826a868c8521f9d259

            SHA256

            cc20eab9f678fabf13e3b8f431e52482fef4c0dee23a8ae8da157d37e068e76a

            SHA512

            03663ef0ce7d6c468d41216c2e14f361ec20b95ac8315b09a1d9f169fdfc6a9bab7fa6fa0ac3526a19b723654556f76f9d9802dfc82f85329b058c5fd46c74ec

            Download Submit

          • memory/2012-1-0x0000000000F40000-0x00000000010C0000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2012-0-0x0000000000F40000-0x00000000010C0000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2012-13-0x0000000000F40000-0x00000000010C0000-memory.dmp

            Filesize

            1.5MB

            Download