Analysis Overview
SHA256
6ca88c9e467778629605f0e02cd88922370593fd79ceb973ea6123583ec4afd3
Threat Level: Shows suspicious behavior
The file 1cfc9408aa24c2be24ad3376087dc83b was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-21 22:56
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-21 22:56
Reported
2023-12-22 00:55
Platform
win10v2004-20231215-en
Max time kernel
130s
Max time network
174s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4112 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
| PID 4112 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
| PID 4112 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe
"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic BaseBoard get SerialNumber
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | luckbaby.me | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/4112-0-0x0000000001BA0000-0x0000000001BA1000-memory.dmp
memory/4112-1-0x0000000001C10000-0x0000000001C11000-memory.dmp
memory/4112-2-0x0000000002150000-0x0000000002151000-memory.dmp
memory/4112-4-0x0000000002170000-0x0000000002171000-memory.dmp
memory/4112-5-0x0000000002180000-0x0000000002181000-memory.dmp
memory/4112-3-0x0000000002160000-0x0000000002161000-memory.dmp
memory/4112-6-0x0000000000400000-0x0000000001B42000-memory.dmp
memory/4112-7-0x0000000002190000-0x0000000002191000-memory.dmp
memory/4112-8-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/4112-10-0x0000000000400000-0x0000000001B42000-memory.dmp
memory/4112-15-0x0000000000400000-0x0000000001B42000-memory.dmp
memory/4112-16-0x0000000000400000-0x0000000001B42000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-21 22:56
Reported
2023-12-22 00:55
Platform
win7-20231215-en
Max time kernel
25s
Max time network
53s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
| PID 1980 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
| PID 1980 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
| PID 1980 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe | C:\Windows\SysWOW64\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe
"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic BaseBoard get SerialNumber
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | luckbaby.me | udp |
Files
memory/1980-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1980-2-0x0000000000400000-0x0000000001B42000-memory.dmp
memory/1980-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1980-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1980-6-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1980-8-0x0000000000400000-0x0000000001B42000-memory.dmp
memory/1980-9-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1980-11-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1980-14-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1980-16-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1980-21-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1980-19-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1980-31-0x0000000000320000-0x0000000000321000-memory.dmp
memory/1980-29-0x0000000000320000-0x0000000000321000-memory.dmp
memory/1980-26-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1980-24-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1980-32-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1980-36-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1980-37-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1980-34-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1980-39-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1980-41-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1980-43-0x00000000777E0000-0x00000000777E1000-memory.dmp
memory/1980-48-0x0000000000400000-0x0000000001B42000-memory.dmp
memory/1980-49-0x0000000000400000-0x0000000001B42000-memory.dmp