Analysis

  • max time kernel
    0s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 10:16

General

  • Target

    325bbbe1ee2f09f72e1084acae849bf8.exe

  • Size

    18.6MB

  • MD5

    325bbbe1ee2f09f72e1084acae849bf8

  • SHA1

    f75c355e3277410919f5c7b7436fbcaa8b86fce1

  • SHA256

    c605e919a0b6a36830a388be8e43a29a81139d095cea8f04269a349872afdebe

  • SHA512

    506685f3a72c3f489aaf239d7190893aa4ec89eceab12cf858bdfa237ee2883f1397432aa5fb9b8951bb6097ae0970685d44227fbca0f08e8f5371f5200bc79c

  • SSDEEP

    393216:mAP1dyZTDeIRs4dpRhuGCTxhAQZTAkWNGgp:T1qDeIRLutt/TAt5

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 12 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
    "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
      "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2360
  • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
    "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
      "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
      2⤵
        PID:2856
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
          3⤵
            PID:1724
            • C:\Users\Admin\AppData\Local\Temp\Defender.exe
              "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
              4⤵
                PID:2308
                • C:\Users\Admin\AppData\Local\Temp\Defender.exe
                  "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
                  5⤵
                    PID:1080
          • C:\Windows\system32\gpscript.exe
            gpscript.exe /RefreshSystemParam
            1⤵
              PID:2532

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\_MEI29282\Process.exe

                    Filesize

                    5.1MB

                    MD5

                    e45ec446aff1a32b03c47d5240c94902

                    SHA1

                    0f9055f732a8c66406a5becb9ae7b89d42d1a129

                    SHA256

                    2b1412f56d4356e96d4563957cb22a2025e19066de0b335314ce045540eaa6d3

                    SHA512

                    3ef70f8dfdcbfaad0391812e11e4fc66e02940ff42664f2eea786c231e864acb9854c7b867d1edf92775926a7c4dd464f39d0380cdb902784a8fdeac54f70316

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe

                    Filesize

                    621KB

                    MD5

                    22709abae1f01d878942f391cabedd91

                    SHA1

                    afbdaed36dbfb2697df1f495fa878f87d5eb886d

                    SHA256

                    8fcfde3960b39846c6c20f876df883dd18ad68a8e915a9adf52ddc7d0289ffbf

                    SHA512

                    08accd27d7bdbd742c8d64a53ad40125cb848566bf6dd56e705647c99196861d4c779a040996f74d8b603f46d4a203f05636d34e02942efda5dd2615ebabdcb8

                  • C:\Windows\System32\GroupPolicy\gpt.ini

                    Filesize

                    233B

                    MD5

                    cd4326a6fd01cd3ca77cfd8d0f53821b

                    SHA1

                    a1030414d1f8e5d5a6e89d5a309921b8920856f9

                    SHA256

                    1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

                    SHA512

                    29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

                  • C:\Windows\Temp\jbmbscj

                    Filesize

                    37KB

                    MD5

                    4f4cfdec02b700d2582f27f6943a1f81

                    SHA1

                    37027566e228abba3cc596ae860110638231da14

                    SHA256

                    18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

                    SHA512

                    146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

                  • \Users\Admin\AppData\Local\Temp\Defender.exe

                    Filesize

                    802KB

                    MD5

                    ac34ba84a5054cd701efad5dd14645c9

                    SHA1

                    dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                    SHA256

                    c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                    SHA512

                    df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                  • memory/1724-135-0x00000000013B0000-0x0000000001452000-memory.dmp

                    Filesize

                    648KB

                  • memory/1724-136-0x00000000744B0000-0x0000000074B9E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/1724-143-0x0000000000410000-0x0000000000411000-memory.dmp

                    Filesize

                    4KB

                  • memory/1724-142-0x0000000000C00000-0x0000000000C40000-memory.dmp

                    Filesize

                    256KB

                  • memory/1724-149-0x0000000000AC0000-0x0000000000B90000-memory.dmp

                    Filesize

                    832KB

                  • memory/1724-183-0x00000000744B0000-0x0000000074B9E000-memory.dmp

                    Filesize

                    6.9MB