d596a6abe6fefa03567cfc81c737820b592339952d6ac9227af07f2fc471d2fc

General

Target

7ad7e7e9e3d5da653bfb768cc00b7f33.exe
Size

8.9MB
MD5

7ad7e7e9e3d5da653bfb768cc00b7f33
SHA1

83fa57c745fbcc15c879a393dcb40f88e7add47b
SHA256

d596a6abe6fefa03567cfc81c737820b592339952d6ac9227af07f2fc471d2fc
SHA512

87715b53532b34b7851c6490c6c0a50c3a799a520abe9b749d245d37d0b2cb27c6fda78470bedee1bd7f411df735724f0d98619dd302afadea6e47d2270bfab6
SSDEEP

196608:TOKHq1sTHFjcm/GLnRNMonNUqWTpqp3zMh7/Ofc2vWKfl:TpHq+Hy0GLnjMWNUM3zCWP

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	MAXIMUS.EXE

Loads dropped DLL 1 IoCs

pid	Process
1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1988-9-0x0000000000350000-0x00000000013B0000-memory.dmp	vmprotect
behavioral1/memory/1988-44-0x0000000000350000-0x00000000013B0000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	1988	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe
1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2836	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	29
PID 1988 wrote to memory of 2836	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	29
PID 1988 wrote to memory of 2836	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	29
PID 1988 wrote to memory of 2836	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	29
PID 1988 wrote to memory of 2760	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	28
PID 1988 wrote to memory of 2760	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	28
PID 1988 wrote to memory of 2760	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	28
PID 1988 wrote to memory of 2760	1988	7ad7e7e9e3d5da653bfb768cc00b7f33.exe	28

C:\Users\Admin\AppData\Local\Temp\7ad7e7e9e3d5da653bfb768cc00b7f33.exe
"C:\Users\Admin\AppData\Local\Temp\7ad7e7e9e3d5da653bfb768cc00b7f33.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 448
  2⤵
  - Program crash
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\MAXIMUS.EXE
  "C:\Users\Admin\AppData\Local\Temp\MAXIMUS.EXE"
  2⤵
  - Executes dropped EXE
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MAXIMUS.EXE

Filesize
166KB

MD5
b94c2d6927a4316a042051d8fd167523

SHA1
b95efa87ba635321bdf58bf8fa976633f24737a5

SHA256
326a24c022de6c9e928cfa35673e9d8c837f251f1cfc82facdc45116e48206e1

SHA512
61a138aa410202b9cdd2fef3bcd6a59b64d6e0454b5e3a3fbeb50cd550af7ea498bb46f313592a07d8ad09d80497d3d8b2e13231983d31e28b79fcac58a7dbe9

Download Submit
\Users\Admin\AppData\Local\Temp\MAXIMUS.EXE

Filesize
72KB

MD5
b46740dba5d4ff64dbf85f1b08f20660

SHA1
4931b99477f01d88f0b73b44f0b561613b564a48

SHA256
be4f891c25e94ccce0576c589e9442e4bbca7862fa44161d69228240e8bd2bb4

SHA512
9d4c5a332ea3fa98e0e849bdc33dfa6ff2a32fa2ea459411fecc4f26cecbdf1cb224d28882ead6a0696b06c1525c6b5a30dc89da12dca720cfa7e509458c46de

Download Submit
memory/1988-28-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1988-25-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1988-7-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1988-9-0x0000000000350000-0x00000000013B0000-memory.dmp

Filesize
16.4MB

Download
memory/1988-10-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1988-13-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1988-15-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1988-30-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1988-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1988-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1988-23-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1988-20-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1988-18-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1988-35-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1988-33-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1988-31-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1988-37-0x0000000077970000-0x0000000077971000-memory.dmp

Filesize
4KB

Download
memory/1988-4-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1988-2-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1988-44-0x0000000000350000-0x00000000013B0000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing