4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea

General

Target

4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe
Size

6.4MB
MD5

59e1852e8e8643b0433e3682dd254a66
SHA1

aff4a28d9ff8fa5991eb930923e83b6b27662e24
SHA256

4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea
SHA512

4404914494468c05fe22e00158aeeaee54c254ae1a07dee1f48d973f6d677aa457453165c03c8472bdddce8ad9be8e10b9328d328ae12ab587815facc8cedbe3
SSDEEP

196608:VD4JIKyTpWO7JPEcw9BRPGSrOe3stZLRjQ01:VsJIKWpWO7lO9zPGne3wZVjQ01

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3068	XRJNZC.exe
1336	XRJNZC.exe
4996	XRJNZC.exe
2736	XRJNZC.exe
4984	XRJNZC.exe
4676	XRJNZC.exe

VMProtect packed file 20 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4372-0-0x00000000010A0000-0x0000000001C9B000-memory.dmp	vmprotect
behavioral2/memory/4372-5-0x00000000010A0000-0x0000000001C9B000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac00-14.dat	vmprotect
behavioral2/files/0x000600000001ac00-15.dat	vmprotect
behavioral2/memory/3068-16-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/memory/3068-21-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac00-23.dat	vmprotect
behavioral2/memory/1336-24-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/memory/1336-29-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac00-31.dat	vmprotect
behavioral2/memory/4996-32-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/memory/4996-37-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac00-39.dat	vmprotect
behavioral2/memory/2736-40-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/memory/2736-45-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac00-47.dat	vmprotect
behavioral2/memory/4984-48-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/memory/4984-53-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac00-55.dat	vmprotect
behavioral2/memory/4676-56-0x0000000000210000-0x0000000000E0B000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
220	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2092	timeout.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 192	4372	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	72
PID 4372 wrote to memory of 192	4372	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	72
PID 4372 wrote to memory of 192	4372	4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe	72
PID 192 wrote to memory of 2092	192	cmd.exe	74
PID 192 wrote to memory of 2092	192	cmd.exe	74
PID 192 wrote to memory of 2092	192	cmd.exe	74
PID 192 wrote to memory of 3068	192	cmd.exe	75
PID 192 wrote to memory of 3068	192	cmd.exe	75
PID 192 wrote to memory of 3068	192	cmd.exe	75
PID 3068 wrote to memory of 220	3068	XRJNZC.exe	77
PID 3068 wrote to memory of 220	3068	XRJNZC.exe	77
PID 3068 wrote to memory of 220	3068	XRJNZC.exe	77

C:\Users\Admin\AppData\Local\Temp\4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe
"C:\Users\Admin\AppData\Local\Temp\4a5d86a0ecb495bd2b21ca768d089b5e39f5595172172881326fd0119f0be6ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3dg.0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2092
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
      4⤵
      Creates scheduled task(s)
      PID:220

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:1336

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:4996

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:2736

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:4984

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
- Executes dropped EXE
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
1.8MB

MD5
19f79659c96f08ae9456ed9c6697bb4a

SHA1
9b6e9c0ea672e078a30e346cac4c7069a318edf9

SHA256
94af5e137daaf10a929ec40d150977ee126a4f36d1b1f8316d451d67ae7608c1

SHA512
b3c054fb2eea6518182379286ea0f61b5867a18163b3ff3f20c52d0495bf73adb6e7fd78488fc1de1ee532693b1e868471d7211f9a3c267dbacecb1524fc8752

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
1.5MB

MD5
c29576ff68fc9566c755d4be743f021c

SHA1
5246f06911038f3249e8a680873a39e51da81432

SHA256
c0e8d84f2b93d1dc2c3139a1dda535e0d79c5ee79d834a7717500af4e7313463

SHA512
9088d123a124e7c3909400bd4aa41c3b21d6c50706757037dc4d75db343bd3a0b31d5c3a70ff435b1274a31a3b8d08c3c97381128852a1a3df7651acbb83b562

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
4.7MB

MD5
980404852caa3aa3e73ba2ff14dc3626

SHA1
2284b8412f76527293b9b12302041dcc700cdca2

SHA256
61a58d12bfc3239d890179cdc23fa67df60f44245ac7077c363189f064157af4

SHA512
e7e655a020ef138d2d9fd9d3a477a000425f6546ed4ce161b9b3a8b64dd7fc6759d12871849e9ad9c5a94a834a15e57a4e185aabee6ccc409822c036b72ca177

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.6MB

MD5
3d3fa2fc39cb7bc1a6ce5bddc4fdb07a

SHA1
5af45e0a7e0d7d369ab5129a09393e14ff54f6b4

SHA256
8e0427a65bb9a09fbcff2cf5e3c8a570a516ff9ef99e612d28f616792d3525db

SHA512
71c6f511e7e45b634e7d11189c8673bf2f184888c215ad84ea0eb74053b377d2d7df2e33641c9519bbc70d9f77372659d3c8d5d72fa47bfc2febca601b1e8f26

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
4.0MB

MD5
310dedf761a16ce731cd59fb1e5d5b74

SHA1
718dc09dc81cacede53c5c5fabd54d674bfb25f3

SHA256
43407efb35aef3c0e40fd89a4bf1e907abfe6ae74a834e5b64617bf3549aa4c7

SHA512
87b428320f708a91910578d6bc6951b2307db5baf7044553b9e6552f55f56ed64c06e6d3c3f263d783a21f32ddca71813aefb190d29d8dafa2d5e86c0eb2ed93

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
54KB

MD5
fe3fbb58ebd0497c9eb265fab5d24cdb

SHA1
af04265b839200a83a3f20d490859150267fdc32

SHA256
04f3ea50016d64cd0a316eb8b5206bd745d495ee6b0392de016732bee8313045

SHA512
c4fa304547f828389666123cb6f8220e4def5fc6a189411f7289d28c545352fb41d3595f64aa05c3a5e81c486aeef13dcba92f6b062e3357ce45ad21386ace55

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
5.5MB

MD5
daa8c9fe2677ca2cf83370b139feae7a

SHA1
1cf9483ee0f37a3f79227b2396bb833e129407c8

SHA256
9157e0311734ee5473270c307cb60c48143026b31b43d5846f2928cc97c309c1

SHA512
d97c2eb2bc59803fce2e6f08c021b2bbff5a44601bdcf928d1edc8d6ef9d747bea347a675ad076f9678dcfdccd7e10ffeccce600f180bfd9abf22c2087776471

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3dg.0.bat

Filesize
176B

MD5
6bb7b2f4a67c5b02263a8aa0e2bb82f9

SHA1
8a555b238b42bd6f0754d70d010ed721263b05a0

SHA256
5ae3b86aca51660571ac81e8b48ee49daad6544f25e4193588582dec9b9436e9

SHA512
92ae8c1cd336469b2011ed31971a600d7552ca85d3e117778622b85d355dae9e7ebccbd211096ac73614c3f91c27a604f1855cbdaf2904e9a07b1b2bc2b64b52

Download Submit
memory/1336-24-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/1336-29-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/2736-45-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/2736-40-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/3068-21-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/3068-16-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/4372-0-0x00000000010A0000-0x0000000001C9B000-memory.dmp

Filesize
12.0MB

Download
memory/4372-5-0x00000000010A0000-0x0000000001C9B000-memory.dmp

Filesize
12.0MB

Download
memory/4676-56-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/4984-48-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/4984-53-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/4996-32-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download
memory/4996-37-0x0000000000210000-0x0000000000E0B000-memory.dmp

Filesize
12.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads