Overview

overview

7

Static

static

7

b49d41e806...17.exe

windows7-x64

7

b49d41e806...17.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2024 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b49d41e80664f913e7e3f359e1d13817.exe

  • Size

    5.7MB

  • MD5

    b49d41e80664f913e7e3f359e1d13817

  • SHA1

    cd1e43b8755ca5f0756e4dcf4d627f2ddcdc90d8

  • SHA256

    72111582f545744da1b6a2c82643303a22384375a5646a52fd88998138e4bbd8

  • SHA512

    609ac235ac31144626562aa8df7604293a418ca63fcb244898ee0052a2a35d6874d7219b387126aaf025c72e5d3807421f94d9d25c3690d96c401e6c7417b80e

  • SSDEEP

    98304:jRtilbPNVA8Kz87WvSy+TFXaTfe83yMkY8i9H0jnzF/WY2M3eAKN:ENVA8j7aFjemyO8ih0jzV8MuZ

Score
7/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b49d41e80664f913e7e3f359e1d13817.exe
    "C:\Users\Admin\AppData\Local\Temp\b49d41e80664f913e7e3f359e1d13817.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>
      2⤵
        PID:1632
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>
        2⤵
          PID:4860

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4612-0-0x00007FFE86050000-0x00007FFE86052000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4612-2-0x00007FF75B830000-0x00007FF75C264000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4612-1-0x00007FF75B830000-0x00007FF75C264000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4612-9-0x00007FF75B830000-0x00007FF75C264000-memory.dmp

        Filesize

        10.2MB

        Download