228db4eac5d27e4a4debc380f5443ee20d5f75f39418a30889ff80ad5338ee79

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c4553c4a782f664b9d47a1e52e9f29.exe
Size

2.3MB
MD5

02c4553c4a782f664b9d47a1e52e9f29
SHA1

394a616fea616406c3ab12f40acf59332500d7ee
SHA256

228db4eac5d27e4a4debc380f5443ee20d5f75f39418a30889ff80ad5338ee79
SHA512

6b5026d4822c60732d6c565061ac2d822095eab2ce411b68109d39086fb85bfb319a40e22e6711672e598e6477a755944a2477b45cdb95370864add27f861bbd
SSDEEP

49152:o4erXlb7BZfdsB1icGIhrZ8pqSjO/CRctRYQdYRAS3JcU76TR84BXpPKvD3odEaO:4ZfW1BGID83S/CRkFYRNh2VBMv7odE9f

Score

8^/10

discovery vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4768	02c4553c4a782f664b9d47a1e52e9f29.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3284-0-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/3284-1-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/4768-7-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/4768-9-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/3284-22-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/4768-30-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/4768-31-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect
behavioral2/memory/3284-32-0x00000000006D0000-0x0000000000BC3000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
3284	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe
4768	02c4553c4a782f664b9d47a1e52e9f29.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4768	3284	02c4553c4a782f664b9d47a1e52e9f29.exe	37
PID 3284 wrote to memory of 4768	3284	02c4553c4a782f664b9d47a1e52e9f29.exe	37
PID 3284 wrote to memory of 4768	3284	02c4553c4a782f664b9d47a1e52e9f29.exe	37

C:\Users\Admin\AppData\Local\Temp\02c4553c4a782f664b9d47a1e52e9f29.exe
"C:\Users\Admin\AppData\Local\Temp\02c4553c4a782f664b9d47a1e52e9f29.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\02c4553c4a782f664b9d47a1e52e9f29.exe
  C:\Users\Admin\AppData\Local\Temp\02c4553c4a782f664b9d47a1e52e9f29.exe /SECONDSTAGE /Mutex=TSMtx21664 /PIXGUID=99999999-9999-4323-9d97-85d4d9cc7106
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install_1777\bxsdk32.dll

Filesize
678KB

MD5
46b655f78d090d11b22054bf312f7c04

SHA1
2b401388fa2b5d839bd884a6e20014755ffef186

SHA256
24b31fb8a7f3db9e0518429c6809ad720b72f703014d141435062789de499495

SHA512
e2594143918f62e8bf094ace2bbd47fe368ad973c85531a8e759074df717534879bf336e83bfa39acdea7c1f425bd2177c2cd684b37c6f6af5599aada7f4bf45

Download Submit
memory/3284-0-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/3284-1-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/3284-3-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/3284-4-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3284-5-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/3284-32-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/3284-23-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3284-22-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/4768-19-0x0000000076B10000-0x0000000076B11000-memory.dmp

Filesize
4KB

Download
memory/4768-29-0x0000000076B50000-0x0000000076B51000-memory.dmp

Filesize
4KB

Download
memory/4768-20-0x00000000772B0000-0x00000000772B1000-memory.dmp

Filesize
4KB

Download
memory/4768-17-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/4768-18-0x0000000076A70000-0x0000000076A71000-memory.dmp

Filesize
4KB

Download
memory/4768-11-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4768-25-0x0000000076B30000-0x0000000076B31000-memory.dmp

Filesize
4KB

Download
memory/4768-21-0x00000000774F2000-0x00000000774F3000-memory.dmp

Filesize
4KB

Download
memory/4768-28-0x0000000076B60000-0x0000000076B61000-memory.dmp

Filesize
4KB

Download
memory/4768-27-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/4768-26-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/4768-24-0x0000000076B20000-0x0000000076B21000-memory.dmp

Filesize
4KB

Download
memory/4768-9-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/4768-30-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/4768-31-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download
memory/4768-7-0x00000000006D0000-0x0000000000BC3000-memory.dmp

Filesize
4.9MB

Download