Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14-10-2023 01:11
General
-
Target
2c67c5e549d71c1c680f5c96936a7d48435c8d73bd8fafed5b5a8493cdfa999c.exe
-
Size
1.3MB
-
MD5
558bc602b25b8db9b378f2fd0e9afae3
-
SHA1
c4c07ad217b8fe7ca6af747237244385abfa2d84
-
SHA256
2c67c5e549d71c1c680f5c96936a7d48435c8d73bd8fafed5b5a8493cdfa999c
-
SHA512
a26cda0e85f39f4d242ec83a31e840e0eb7443ca0760c64a09c578da969f9a57a1fb7de3a4ae285f7cbf3ae4cf15fbed3612747234134915af43d92e87084ab2
-
SSDEEP
24576:3Vuewq/OJLLGnVqiIKeISpq63lZE4u+N31+TRFnb168CqwO:luewqMGnr5yYnT/nJ5Cq
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 1 IoCs
-
VMProtect packed file 5 IoCs
Detects executables packed with VMProtect commercial packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c67c5e549d71c1c680f5c96936a7d48435c8d73bd8fafed5b5a8493cdfa999c.exe"C:\Users\Admin\AppData\Local\Temp\2c67c5e549d71c1c680f5c96936a7d48435c8d73bd8fafed5b5a8493cdfa999c.exe"1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\windows\DaDa\EVRootCA.reg2⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C SC STOP psP19GEP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSC STOP psP19GEP3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C SC DELETE psP19GEP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSC DELETE psP19GEP3⤵
- Launches sc.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD5eaef212d2415803e6f3f3cc7724bdd5c
SHA170185e704470a689f33b15a69bd9429e51f203d8
SHA256c495a028ee6a7a3bca32c6e501a5cf1cd25a9b57cc2b3f42d371cadd3ce0a5c5
SHA512aa2e9010d4a34d7c1730a16b91ec01096781ecf379b5022ad2c113fc58052f1490986eb36e73e1d92627204fa941ea08c9302ca997c07c0a30f4af9819f8b3ee
-
Filesize
215KB
MD5eaef212d2415803e6f3f3cc7724bdd5c
SHA170185e704470a689f33b15a69bd9429e51f203d8
SHA256c495a028ee6a7a3bca32c6e501a5cf1cd25a9b57cc2b3f42d371cadd3ce0a5c5
SHA512aa2e9010d4a34d7c1730a16b91ec01096781ecf379b5022ad2c113fc58052f1490986eb36e73e1d92627204fa941ea08c9302ca997c07c0a30f4af9819f8b3ee
-
Filesize
209KB
MD5cdb82b2a52d037737529f4286fcf4911
SHA11805516a93c3fdd020e43417d5090c35a98acc17
SHA25642af0a1520918facedff5684e35c525e3157ed91d363aefb64d2f0cd5a3f3e4b
SHA512d032970375d039d73275f252319aa896f9cdd343832fb26e7a7453d6e9fba252de12e31f074f0362198fe0f0e045512c336b2530fecf50cbd002af6fe6ff5eb6
-
Filesize
452KB
-
Filesize
452KB