3edd56e43e77b1cd5f7bf771489b5fcb9bbd99972dbb1ab4bb44ee039a3d168c

Analysis

max time kernel
106s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77f6555bde14a8a65bcc6b978785b1fc.exe
Size

44KB
MD5

77f6555bde14a8a65bcc6b978785b1fc
SHA1

486bd2cf73db57f9dd7c575d68f51e63b8bfeed9
SHA256

3edd56e43e77b1cd5f7bf771489b5fcb9bbd99972dbb1ab4bb44ee039a3d168c
SHA512

a34a95e3aea14fbb3d399da51840e04334f9bb889050de56d15f48ddf47fb74e8aee83f74211df7bd932c557e2e819f7f4aacf43728970aab8a23bc5e5fe71a0
SSDEEP

768:TaLTKqrOyv4qqeN43msxy4WYU8WCsW+SOoOSm3dh8UZlhP/2DX8tltfi:TwTKgfHd+tJU87CSzm3/ZfGr8tm

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vmlenqto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CcSLPn1Jwz = "C:\\ProgramData\\fmpqpkji\\vmlenqto.exe"	vmlenqto.exe

Executes dropped EXE 1 IoCs

pid	Process
844	vmlenqto.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2076	77f6555bde14a8a65bcc6b978785b1fc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 844	2076	77f6555bde14a8a65bcc6b978785b1fc.exe	98
PID 2076 wrote to memory of 844	2076	77f6555bde14a8a65bcc6b978785b1fc.exe	98
PID 2076 wrote to memory of 844	2076	77f6555bde14a8a65bcc6b978785b1fc.exe	98
PID 2076 wrote to memory of 4144	2076	77f6555bde14a8a65bcc6b978785b1fc.exe	99
PID 2076 wrote to memory of 4144	2076	77f6555bde14a8a65bcc6b978785b1fc.exe	99
PID 2076 wrote to memory of 4144	2076	77f6555bde14a8a65bcc6b978785b1fc.exe	99

C:\Users\Admin\AppData\Local\Temp\77f6555bde14a8a65bcc6b978785b1fc.exe
"C:\Users\Admin\AppData\Local\Temp\77f6555bde14a8a65bcc6b978785b1fc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2076
- C:\ProgramData\fmpqpkji\vmlenqto.exe
  C:\ProgramData\fmpqpkji\vmlenqto.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  PID:844
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\77F655~1.EXE.bak >> NUL
  2⤵
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fmpqpkji\vmlenqto.exe

Filesize
44KB

MD5
77f6555bde14a8a65bcc6b978785b1fc

SHA1
486bd2cf73db57f9dd7c575d68f51e63b8bfeed9

SHA256
3edd56e43e77b1cd5f7bf771489b5fcb9bbd99972dbb1ab4bb44ee039a3d168c

SHA512
a34a95e3aea14fbb3d399da51840e04334f9bb889050de56d15f48ddf47fb74e8aee83f74211df7bd932c557e2e819f7f4aacf43728970aab8a23bc5e5fe71a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads