feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963

General

Target

feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
Size

10.6MB
MD5

9ea06e2ba709b7aaf037b50fc7632dfb
SHA1

a2d6829a9f2b00971b3ef84cb99393145654359d
SHA256

feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963
SHA512

3884c487c03ae05413279126f88dabd2848c98a1167c31e47a3801c5ec71cd669a3699417ac810775700dcb9b8604a03573f52db164ab3346d970bd1fa4e34df
SSDEEP

196608:vHBJ/2/o87W4NfDpk0imvabSJ67aMeCCB/B/kMmfNv8JwY:ZL87hlfiCXJmHelvwvH

Score

7^/10

vmprotect

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	latic.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2220-3-0x0000000000400000-0x00000000017CF000-memory.dmp	vmprotect
behavioral1/memory/2220-7-0x0000000000400000-0x00000000017CF000-memory.dmp	vmprotect
behavioral1/files/0x0034000000015004-45.dat	vmprotect
behavioral1/files/0x0034000000015004-42.dat	vmprotect
behavioral1/files/0x0034000000015004-46.dat	vmprotect
behavioral1/memory/2728-49-0x00000000003E0000-0x0000000000C6D000-memory.dmp	vmprotect
behavioral1/memory/2220-56-0x0000000000400000-0x00000000017CF000-memory.dmp	vmprotect
behavioral1/memory/2728-57-0x00000000003E0000-0x0000000000C6D000-memory.dmp	vmprotect

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2708	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
2728	latic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2728	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	28
PID 2220 wrote to memory of 2660	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	29
PID 2220 wrote to memory of 2660	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	29
PID 2220 wrote to memory of 2660	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	29
PID 2220 wrote to memory of 2660	2220	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	29
PID 2660 wrote to memory of 2708	2660	cmd.exe	31
PID 2660 wrote to memory of 2708	2660	cmd.exe	31
PID 2660 wrote to memory of 2708	2660	cmd.exe	31
PID 2660 wrote to memory of 2708	2660	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
"C:\Users\Admin\AppData\Local\Temp\feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\listp\latic.exe
  C:\listp\latic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\listp\latic.exe

Filesize
91KB

MD5
c4b2fb995853e907e1b3cc37f016e85f

SHA1
307428605bbeda24899ac6151cc10bd95ee64cb1

SHA256
f8fc59897f32ed61c530040633e09d643c98fc6a805c307c70774f58b7d2f82d

SHA512
d207f5a91639b324271710bb117ca7cc4f8c55e6797bce795c20c5ed22c4de6b0c5c8d9a7dd6409c83370948ddec849855904d7473d1a3c280f95c7063e29b74

Download Submit
C:\listp\latic.exe

Filesize
31KB

MD5
3ba9d54f907ac53c891a7626d32f2417

SHA1
a759323fdf220defd7d3e4d955114dafa2d7067b

SHA256
37d956f6cdec1a181b6b1d68b4d65d5854b682303222b4f51021c5e991993c1b

SHA512
8ae49b17f95eb8212cf0404e5844cfd25f638c378402d5930e79cc2ee32c37ae2e42e54947ea68e920ac215c90b0388d205cbf3cc1a77586b5d8ffef18e1b93b

Download Submit
\listp\latic.exe

Filesize
92KB

MD5
08c79cd04eac03a1b75822b63a07f116

SHA1
01f7329f3a4ffc9699958ad7b35c4f70c1a65a40

SHA256
8d84982bd382d4db69c3176495c928d20807cd8748e0f39249c5104d297d3a67

SHA512
3b5b60cae1ad301781177b19f16cb7a7210b327875a7f412d6f66332a9925805785972fc58c5c55049141509a83e4c85997c9e2497a8dec2e4a7abbe93bf2c44

Download Submit
memory/2220-21-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2220-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2220-38-0x0000000077DA0000-0x0000000077DA1000-memory.dmp

Filesize
4KB

Download
memory/2220-34-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2220-32-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2220-31-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2220-7-0x0000000000400000-0x00000000017CF000-memory.dmp

Filesize
19.8MB

Download
memory/2220-3-0x0000000000400000-0x00000000017CF000-memory.dmp

Filesize
19.8MB

Download
memory/2220-29-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2220-26-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2220-24-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2220-19-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2220-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2220-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2220-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2220-9-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2220-56-0x0000000000400000-0x00000000017CF000-memory.dmp

Filesize
19.8MB

Download
memory/2220-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2220-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2220-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2728-49-0x00000000003E0000-0x0000000000C6D000-memory.dmp

Filesize
8.6MB

Download
memory/2728-50-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2728-54-0x0000000077DA0000-0x0000000077DA1000-memory.dmp

Filesize
4KB

Download
memory/2728-52-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2728-57-0x00000000003E0000-0x0000000000C6D000-memory.dmp

Filesize
8.6MB

Download

Analysis

Sharing