85579d6b414f97cf00c56de714fd246d86713d5fbcdaaf876c75d149c2a85702

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5718181bfb54486fb2d81adccadfaf0b.exe
Size

52KB
MD5

5718181bfb54486fb2d81adccadfaf0b
SHA1

ac5d3b01fa0bb3a51cf79ee3b34b084d50681155
SHA256

85579d6b414f97cf00c56de714fd246d86713d5fbcdaaf876c75d149c2a85702
SHA512

f92d37141154ca89c98c0a39a4c3c1297f742312e59235e88918ea66b4abbb3b51341eb973b51cd81382c800136a2390befcb14e77025c8924d3214d6764300b
SSDEEP

1536:hmdPf5yVtFsERanqZ8rO6W8IJR7aZRwIQIaLpDXDe:hm952cU8ZW8c7CRwHHlDTe

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	5718181bfb54486fb2d81adccadfaf0b.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MediaCeasdnter\Parameters\ServiceDll = "C:\\Windows\\system32\\NetNtEx.dll"	5718181bfb54486fb2d81adccadfaf0b.exe

Loads dropped DLL 2 IoCs

pid	Process
4712	5718181bfb54486fb2d81adccadfaf0b.exe
3684	svchost.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023214-6.dat	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NetNtEx.dll	5718181bfb54486fb2d81adccadfaf0b.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4712	5718181bfb54486fb2d81adccadfaf0b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 824	4712	5718181bfb54486fb2d81adccadfaf0b.exe	91
PID 4712 wrote to memory of 824	4712	5718181bfb54486fb2d81adccadfaf0b.exe	91
PID 4712 wrote to memory of 824	4712	5718181bfb54486fb2d81adccadfaf0b.exe	91

C:\Users\Admin\AppData\Local\Temp\5718181bfb54486fb2d81adccadfaf0b.exe
"C:\Users\Admin\AppData\Local\Temp\5718181bfb54486fb2d81adccadfaf0b.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\571818~1.EXE > nul
  2⤵
  PID:824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:3088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Loads dropped DLL
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NetNtEx.dll

Filesize
73KB

MD5
34cd55087a743507c440f937237c9b6a

SHA1
fdf7db5bb55ee2f2cd3ff80a36a626fc2f799451

SHA256
3ef31cb608e7ec51e631a4f689c005c89f60d0a4b3592c02b2de33c4ac589581

SHA512
ca8b62c3ff904e789739de646db49c722765ba10c7d36aa6de9a496bec837cb8a8ac7b0c1c615994d77267d99d11501eb370c16368a8644e6ea6c7bfebe75127

Download Submit
memory/4712-0-0x0000000000400000-0x000000000042508B-memory.dmp

Filesize
148KB

Download
memory/4712-2-0x0000000000400000-0x000000000042508B-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads