4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea

Analysis

max time kernel
248s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe
Size

6.4MB
MD5

59e1852e8e8643b0433e3682dd254a66
SHA1

aff4a28d9ff8fa5991eb930923e83b6b27662e24
SHA256

4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea
SHA512

4404914494468c05fe22e00158aeeaee54c254ae1a07dee1f48d973f6d677aa457453165c03c8472bdddce8ad9be8e10b9328d328ae12ab587815facc8cedbe3
SSDEEP

196608:VD4JIKyTpWO7JPEcw9BRPGSrOe3stZLRjQ01:VsJIKWpWO7lO9zPGne3wZVjQ01

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2932	XRJNZC.exe
328	XRJNZC.exe
1688	XRJNZC.exe
1888	XRJNZC.exe
1648	XRJNZC.exe

Loads dropped DLL 1 IoCs

pid	Process
2712	cmd.exe

VMProtect packed file 19 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1976-0-0x0000000000970000-0x000000000156B000-memory.dmp	vmprotect
behavioral1/memory/1976-5-0x0000000000970000-0x000000000156B000-memory.dmp	vmprotect
behavioral1/files/0x002e000000015596-19.dat	vmprotect
behavioral1/files/0x002e000000015596-18.dat	vmprotect
behavioral1/files/0x002e000000015596-20.dat	vmprotect
behavioral1/memory/2932-21-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/memory/2932-26-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/files/0x002e000000015596-28.dat	vmprotect
behavioral1/memory/328-29-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/memory/328-34-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/files/0x002e000000015596-36.dat	vmprotect
behavioral1/memory/1688-37-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/memory/1688-42-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/files/0x002e000000015596-44.dat	vmprotect
behavioral1/memory/1888-45-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/memory/1888-50-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/files/0x002e000000015596-52.dat	vmprotect
behavioral1/memory/1648-53-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect
behavioral1/memory/1648-58-0x00000000011F0000-0x0000000001DEB000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2900	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2792	timeout.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2712	1976	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	28
PID 1976 wrote to memory of 2712	1976	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	28
PID 1976 wrote to memory of 2712	1976	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	28
PID 1976 wrote to memory of 2712	1976	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	28
PID 2712 wrote to memory of 2792	2712	cmd.exe	30
PID 2712 wrote to memory of 2792	2712	cmd.exe	30
PID 2712 wrote to memory of 2792	2712	cmd.exe	30
PID 2712 wrote to memory of 2792	2712	cmd.exe	30
PID 2712 wrote to memory of 2932	2712	cmd.exe	31
PID 2712 wrote to memory of 2932	2712	cmd.exe	31
PID 2712 wrote to memory of 2932	2712	cmd.exe	31
PID 2712 wrote to memory of 2932	2712	cmd.exe	31
PID 2932 wrote to memory of 2900	2932	XRJNZC.exe	32
PID 2932 wrote to memory of 2900	2932	XRJNZC.exe	32
PID 2932 wrote to memory of 2900	2932	XRJNZC.exe	32
PID 2932 wrote to memory of 2900	2932	XRJNZC.exe	32
PID 2304 wrote to memory of 328	2304	taskeng.exe	37
PID 2304 wrote to memory of 328	2304	taskeng.exe	37
PID 2304 wrote to memory of 328	2304	taskeng.exe	37
PID 2304 wrote to memory of 328	2304	taskeng.exe	37
PID 2304 wrote to memory of 1688	2304	taskeng.exe	38
PID 2304 wrote to memory of 1688	2304	taskeng.exe	38
PID 2304 wrote to memory of 1688	2304	taskeng.exe	38
PID 2304 wrote to memory of 1688	2304	taskeng.exe	38
PID 2304 wrote to memory of 1888	2304	taskeng.exe	39
PID 2304 wrote to memory of 1888	2304	taskeng.exe	39
PID 2304 wrote to memory of 1888	2304	taskeng.exe	39
PID 2304 wrote to memory of 1888	2304	taskeng.exe	39
PID 2304 wrote to memory of 1648	2304	taskeng.exe	40
PID 2304 wrote to memory of 1648	2304	taskeng.exe	40
PID 2304 wrote to memory of 1648	2304	taskeng.exe	40
PID 2304 wrote to memory of 1648	2304	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe
"C:\Users\Admin\AppData\Local\Temp\4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1iw.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2900

C:\Windows\system32\taskeng.exe
taskeng.exe {310BE0C3-899B-4383-BD95-F7E62E275CFC} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:328
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\ProgramData\pinterests\XRJNZC.exe
  C:\ProgramData\pinterests\XRJNZC.exe
  2⤵
  - Executes dropped EXE
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
283KB

MD5
36f6f80ae08a19112a9957b1582d1b86

SHA1
fa7003e29c6d44070af078a4ec88ba4e5b30335c

SHA256
91784e703c576456883b99a36123e6261a6b1ba9c470fb9b5b8bf2bc6a9ab322

SHA512
50c906aafff1c408b14fe379b822bf00a63edc094714682acc234473f10e6dce3ae1d56dfda1dff6c32a29ae37226a05d64a3174c423d78c454dd622875ee6af

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
288KB

MD5
b865ff35b9f5905a0bda51d201582cbc

SHA1
4a67b23b0a665e13b15556ba86fa963f8de9ec0e

SHA256
10e098792e1f5eaa6f544b62fcea3de1eade8c376bdd46e40621a60971f87daf

SHA512
5a910b1538caf61fc45aa4479c2b81b16a2950a6084346550ff8a522725ea63e3a02f9e33917823e9dc2e40027499c6ed798c32d204616e5b032f01c3ad60137

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
3.0MB

MD5
117d83b04d3a4389db0bc2c0f63a0f2e

SHA1
dc47cc273c2ac528d1f8de031e6cbb8ba06565c1

SHA256
44756479d44d2d7d2574844b8fbfaf36126c4143e96bc264f5820d82a132e4f6

SHA512
97672ea85b8b3f076a8891605a5474095b6f3da155f7f41e3993798a1f3c5a51bb9afe58701ab8af8c8c8c0e2384fba4ac983624d38cae3147c7123797a3d846

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
2.8MB

MD5
97f94a186a37b9fca904e07ac4b1e4d8

SHA1
3453467c782b1776212db55a099e3e5f70cf6431

SHA256
e7c852b1a9b46b4c0b830a386763083c387ebe3e0c080f6afc4e6eb96094257e

SHA512
02245f7e23617c9078b7aa680182988c8ab588b8adc74d821fee3993e3ccb0516247c163ca6d8a40a7f20bf3a3dff55f55f086abb6819ca1dfed02bf56cfe87a

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
592KB

MD5
e5b9d2e419f672588d9351063fb51bc5

SHA1
8255aefad5f6c717149fc6ea1a83d2d2d50cc7f8

SHA256
fc2f5f3b1ced6bdd814f71e2ea521556f84a7f773ce6b46b10c6539a85cfba2b

SHA512
143b38e50bf48b6e535ae3c09c93cfe9203892b8a8e8a7cede6f9f8a2e5ff0c913f050f0f67043ea4a86f584dd28d07dd2779e53e1bd73995dadfd27abafc262

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
921KB

MD5
bd9cea852bae32fb32602650c3f62c78

SHA1
584fb3e18ba1040ac6b0f8ca09c09390fa5f81bc

SHA256
f227a506b6ec03b60eb827f7e730bea98e9f926484a7fddd699a112b64ae5d72

SHA512
4bade23baaf9fe0fe32cf95a4455c9d62c79a1d27021a13463b84986d7154ae8044e9558662fca99a4f6ceaa4df6fcd51bee2e9776585a1002d20890ab926fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1iw.0.bat

Filesize
176B

MD5
44ce9fea077c237e96331402059ccfe6

SHA1
6261f759b67d7bb9a10d96f1803a35fe3407400f

SHA256
7c7acfcc4eb62cca9ce718ccb584c83fce433e0a804a2fc6d4f40a808287c50a

SHA512
e1f151499040b8dc4ff10ae0f77b62782ca8b6774d249c432c026b0a39dc0f412326f7c04459fb9a81c579b1faf3f8c3d6a704d6ce4eb6d8689fb1dcbf840936

Download Submit
\ProgramData\pinterests\XRJNZC.exe

Filesize
181KB

MD5
3f85f719e358f451ceeaea09dd84ff0d

SHA1
743ea217051d262fbf6fe7e592f4fe8b767678ff

SHA256
213d63639e482e51d8e250e21b2385ccde17e755bd4a4a15009c92326ab758db

SHA512
9144333e02f76b0f7edf7189538d0af1ecadd858fcfe2178fa0807357c5aa829b9fc93c4636d4f817681998fd63d1f9e4ef4d36adc51d42b16ff4a98b58b8d75

Download Submit
memory/328-34-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/328-29-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1648-53-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1648-58-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1688-37-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1688-42-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1888-45-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1888-50-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/1976-0-0x0000000000970000-0x000000000156B000-memory.dmp

Filesize
12.0MB

Download
memory/1976-5-0x0000000000970000-0x000000000156B000-memory.dmp

Filesize
12.0MB

Download
memory/2932-26-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download
memory/2932-21-0x00000000011F0000-0x0000000001DEB000-memory.dmp

Filesize
12.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads