Malware Analysis Report

2025-08-11 01:36

Sample ID 231208-f53g7shd56
Target f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973
SHA256 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973
Tags
vmprotect blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973

Threat Level: Known bad

The file f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973 was found to be: Known bad.

Malicious Activity Summary

vmprotect blackmoon banker trojan

Blackmoon, KrBanker

Detect Blackmoon payload

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-08 05:28

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 05:28

Reported

2023-12-08 05:30

Platform

win7-20231020-en

Max time kernel

139s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fog.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
File opened for modification C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2116 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe C:\Users\Admin\AppData\Local\Temp\Patch.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe
PID 2204 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe C:\Users\Admin\AppData\Local\Temp\fog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe

"C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"

C:\Users\Admin\AppData\Local\Temp\Patch.exe

C:\Users\Admin\AppData\Local\Temp\\Patch.exe

C:\Users\Admin\AppData\Local\Temp\fog.exe

C:\Users\Admin\AppData\Local\Temp\fog.exe

Network

N/A

Files

memory/2116-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2116-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2116-4-0x0000000000400000-0x0000000001939000-memory.dmp

memory/2116-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Patch.exe

MD5 757d9e9d11e35d3763c07743fcc6e7ed
SHA1 2037c66cac11ab802065c4dcac9866d74bab41c5
SHA256 0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA512 1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

C:\Users\Admin\AppData\Local\Temp\Patch.exe

MD5 757d9e9d11e35d3763c07743fcc6e7ed
SHA1 2037c66cac11ab802065c4dcac9866d74bab41c5
SHA256 0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA512 1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

C:\Users\Admin\AppData\Local\Temp\Patch.exe

MD5 757d9e9d11e35d3763c07743fcc6e7ed
SHA1 2037c66cac11ab802065c4dcac9866d74bab41c5
SHA256 0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA512 1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

C:\Users\Admin\AppData\Local\Temp\Patch.exe

MD5 757d9e9d11e35d3763c07743fcc6e7ed
SHA1 2037c66cac11ab802065c4dcac9866d74bab41c5
SHA256 0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA512 1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

memory/2204-27-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2204-29-0x0000000000400000-0x0000000000EF0000-memory.dmp

memory/2204-30-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2204-31-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2204-33-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2204-35-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2204-36-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2204-38-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2204-40-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2204-43-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2204-45-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2204-48-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2204-50-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2204-53-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2204-55-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2204-58-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2204-60-0x00000000002C0000-0x00000000002C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

\Windows\SysWOW64\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

C:\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

C:\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

\Users\Admin\AppData\Local\Temp\fog.exe

MD5 1dbc14b104a35c2a82f6a63429b59739
SHA1 a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA256 3f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512 d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c

memory/2116-81-0x0000000000400000-0x0000000001939000-memory.dmp

memory/2204-82-0x0000000000400000-0x0000000000EF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 05:28

Reported

2023-12-08 05:30

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A
File opened for modification C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\Patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe

"C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"

C:\Users\Admin\AppData\Local\Temp\Patch.exe

C:\Users\Admin\AppData\Local\Temp\\Patch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3520-0-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

memory/3520-2-0x0000000000400000-0x0000000001939000-memory.dmp

memory/3520-1-0x0000000000400000-0x0000000001939000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Patch.exe

MD5 757d9e9d11e35d3763c07743fcc6e7ed
SHA1 2037c66cac11ab802065c4dcac9866d74bab41c5
SHA256 0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA512 1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

C:\Users\Admin\AppData\Local\Temp\Patch.exe

MD5 757d9e9d11e35d3763c07743fcc6e7ed
SHA1 2037c66cac11ab802065c4dcac9866d74bab41c5
SHA256 0ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA512 1f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1

memory/4228-18-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/4228-19-0x0000000001080000-0x0000000001081000-memory.dmp

memory/4228-20-0x0000000001090000-0x0000000001091000-memory.dmp

memory/4228-21-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/4228-23-0x0000000000400000-0x0000000000EF0000-memory.dmp

memory/4228-24-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/4228-25-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/4228-22-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/4228-27-0x0000000000400000-0x0000000000EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

C:\Windows\SysWOW64\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

memory/4228-44-0x0000000000400000-0x0000000000EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

MD5 c3adbb35a05b44bc877a895d273aa270
SHA1 8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256 b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512 614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

memory/3520-48-0x0000000000400000-0x0000000001939000-memory.dmp