Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 12:20

General

  • Target

    35fc17285530e2e4cca50280b5f4b4b1.exe

  • Size

    100KB

  • MD5

    35fc17285530e2e4cca50280b5f4b4b1

  • SHA1

    eeb99a190a22a13e28f54aac5fc90364c1061064

  • SHA256

    e65e98c2c80f48b6a7c49b10e60ce0a02d1bc227dcccc407afd9b385cc99c252

  • SHA512

    549ff273187337621fc477f6d52aecde1af34a557f75e258d81d559a2966933674e34e88f84f7a0c68fbf4cb5e533b086402687203714158f36f63664a109b41

  • SSDEEP

    3072:BnCmdNuEYbWfWLHtTBfNtyi0xNLb4CC0Tyl6pwu1kC:BZbuTbqWLHtTBVtyi0f8CCSyAPb

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35fc17285530e2e4cca50280b5f4b4b1.exe
    "C:\Users\Admin\AppData\Local\Temp\35fc17285530e2e4cca50280b5f4b4b1.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35FC17~1.EXE > nul
      2⤵
        PID:2036
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
      1⤵
      • Loads dropped DLL
      PID:2716

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\TfmitxD.dll

            Filesize

            78KB

            MD5

            db603e204991123fbd757e4756555931

            SHA1

            69c6299a1590d51bf28fa8f64d0119d8af246e19

            SHA256

            33578f21466c058bb343b302e3d8f4d6683b2b961f71d89342117b4038c176b3

            SHA512

            468813dbbf44334f934775ab3605424e30fad594939893107dd6d3eab77793ceb5b4d62c05ab7802e31374ded402cae7c6fd250e5f5ffc281ce698d619051691

          • memory/1760-6-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB

          • memory/2716-10-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB

          • memory/2716-11-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB