93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe
Size

93.2MB
MD5

c1a9c81765de8ba0b68508abc7761364
SHA1

e2643f6bb4ea990461f6ed42dff8c68a2358fff4
SHA256

93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4
SHA512

f9f3c7db1af001165349a2350ccdf61d4864f7b4daa661dd906e22ebc34f61f3fc73f717c118ab936900e0e8ed157cff98973f831b3b040094662ab19e85b9a7
SSDEEP

1572864:lt87M9ixs5oDdkssoxrwbxs5oDlUushA4eMzJoFgnJX5wkKG0gMoCw6UrKmd/:SUoDK7opRoDlUushReyqFgJ+wX6Cd

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	UpdateWizard.exe

Loads dropped DLL 10 IoCs

pid	Process
2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe
2520	UpdateWizard.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0005000000019463-152.dat	vmprotect
behavioral1/files/0x0005000000019463-151.dat	vmprotect
behavioral1/memory/2520-159-0x0000000072EC0000-0x00000000739DE000-memory.dmp	vmprotect
behavioral1/memory/2520-162-0x0000000072EC0000-0x00000000739DE000-memory.dmp	vmprotect
behavioral1/files/0x0005000000019485-168.dat	vmprotect
behavioral1/files/0x0005000000019485-169.dat	vmprotect
behavioral1/memory/2520-173-0x0000000071C40000-0x00000000728C3000-memory.dmp	vmprotect
behavioral1/memory/2520-176-0x0000000071C40000-0x00000000728C3000-memory.dmp	vmprotect
behavioral1/memory/2520-189-0x0000000072EC0000-0x00000000739DE000-memory.dmp	vmprotect
behavioral1/memory/2520-190-0x0000000071C40000-0x00000000728C3000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	UpdateWizard.exe
2520	UpdateWizard.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe
2520	UpdateWizard.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28
PID 2284 wrote to memory of 2520	2284	93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe	28

C:\Users\Admin\AppData\Local\Temp\93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe
"C:\Users\Admin\AppData\Local\Temp\93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\84BA.tmp\UpdateWizard.exe
  "C:\Users\Admin\AppData\Local\Temp\93a7a21da1e33d1bd3e5d0da982ed3b6107ea6bfac40f43b3a9442ab5de9efe4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84BA.tmp\QtCore4.dll

Filesize
2.4MB

MD5
26c8600a427882bbd4f4edc393ff0c2c

SHA1
ba5a668eaa92ebdbc0efa6adb0abc3a1dbdec6bc

SHA256
45717e86a8f63e4783f2a429bcfa123864d44851f2ef56ce5ebd51c4d236b426

SHA512
5468455b889550a0539ed0215515326de3a1b33dfbead3e6b52836f017244d9c8feb23671ba21a47deab70563f90c1cbb2f1c9ead9d2c09ed382cd6741ee8136

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\QtGui4.dll

Filesize
1.1MB

MD5
730fec54aa688ea0c31975e195e0cc5b

SHA1
7971a9b9af9dc223c127c19b093a85d243375cfe

SHA256
529b5c8f666c255d47283152805565b47457aee7208901c7297b5a2e8c912e96

SHA512
5bad88a097c58c28ec3933c863d20bb8eb75f8137a9ae37d7d7f87ac7a1a7212914e9dd645dc71b33a09487ffde8de5eea4b4929150c3c6c3b0b557d7813e495

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\95EC.tmp

Filesize
2KB

MD5
1963c2edc7914f51d5c75e1322f5bc85

SHA1
daf367ad6e7f659e4339f5d76540607659254570

SHA256
aa24870503fc212cfa126d19f7d4262ade6cfbe4d4b80542b5f33399f5f0ad2d

SHA512
742ab07a439ea652fcc406499ce672044ef97b2b0a9a9b08722c37d6a71791c906f5431011a8154ed96f4db58a234e8f5122fa4d2fd5399762809f9afb39da70

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\Arabic.lang

Filesize
19KB

MD5
86206722044aab282397bb4822521a65

SHA1
575ab356d3022555715ed92a1da6aa1d9f312477

SHA256
9f94c4bbc1c2c72d98b15f1ac59678a4457cb8f411b5b6a0ac4daf4a7c0e21fe

SHA512
8d2e99c262309d4339715869bb4e7574454d2f4967162c89571f2327da4984284cf7026f6a966bfd293472afc41ea99c70ce594ad55438f07329125828870cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\Bulgarian.lang

Filesize
22KB

MD5
c545f1b23be0fa82189ad870bd06827e

SHA1
70f3b7c6dd5f32c9364c3a448184c355cad02fd0

SHA256
de10496f9f96890698009c92e776775f20cbcd970b5d8986eeead3e2a8088b4a

SHA512
6c299f452fc31b15ba15122bf651d42fc27a44c3a46cbb70508c0985ba9f653a88d84042999d3ec0829a61e6d386a1d94cd5d624db04fad74d092c1b6c867000

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\ChineseHK.lang

Filesize
11KB

MD5
84d1910a2c157dc715b45f88c6fc7830

SHA1
4acbe3eab8a28c3cd761af2caf0296fddb03ce81

SHA256
066e55d7e76bc6f4e16673677c60376ebb081909aca2bba63d8aced8b2955eb0

SHA512
411f1b17e0908196c7f443daed92545ec5f8df39980f01bec259878efee708307efe5dcb42d1fbea16ee640b09ec49a89254ec35588af93e8b3a6874f75af3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\Croatian.lang

Filesize
14KB

MD5
338070f09327beb14cc5f1c08017066c

SHA1
cbdf7ab2acbfab78ecc0bcd9f4defbeed390243e

SHA256
cff9a39aabc48a9017a97df8b61ebf793586fdbccfcbdc0ea1170467f064e78e

SHA512
9ba99e42fbaff9122bd9238210a467642e304420455c7de27eb24b018bac70305368761694cf43d2f7cc6bbc3b4fef1b0f501834ca74ad06a384cb7e6ac59b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\Czech.lang

Filesize
14KB

MD5
48cba015c5b6f485c5c1f412f74c94f8

SHA1
ec65cbb0725113eb10cd352f255e3bbe6cfb17a1

SHA256
282b4b4c4b1e09310845888869a061dc5a3e6b52a3cc9f74ae77b6def2e7060d

SHA512
bf02425f9ac2c3a6fed371aee3166b46696c84e07c0fd1ee1c2d8ad841533b6052296730b1985c359c5c07c0bb32606302efeda198dd2d0d736e0ef683726707

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\Danish.lang

Filesize
14KB

MD5
00f15d21e84b8bbf913825a0e8edec06

SHA1
7fe0a845b7fff00c72df92722336e730d8056afc

SHA256
f4180c7cb1e11f1ea39acf30a5622658cdbc524fbb26b0e69c650a53353720a4

SHA512
699692871bc3295b2b670084d9b3baa4646e47e0f827eead214f8f5e1d5ab9a62165e7355c9e42d840dae0ba69c27b4a09f992574b9cdbe8435cdf854eeb6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\TempFolder\lang\Dutch.lang

Filesize
15KB

MD5
38ad2ca026c314d2748275ab27e0002b

SHA1
0c854b18849916a45d811f9284f3abe3d8a56eb6

SHA256
500ffe9d1e6d60194394f525342fc49cf1f719bcdae0519c84c22e2bdf6c5c2b

SHA512
e6795bc51963ec49ff22bcf288a9779f474e5c71f18a889471816d010d2a6b041e492a726a4bb2e3263ccd9b6ef8a38e99f8b8d21bb237cd420af240f0aad2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\UpdateWizard.exe

Filesize
3.1MB

MD5
2f46bd6848694f6d9f5a2e76ccb16bc2

SHA1
151e026d4107e75e6c82d306f4b65dfe0eed22ec

SHA256
e741d90dbdaf9064454e7165b7fdbf6e54028383328aff7d507330349b615fdb

SHA512
dacd48c792f3a0744302a95b973df050745ed45873eb9a6ae36ffbd1c8075737c2930459c5a8ab042aad809bd9434ffa58db9880dbb3182ae8a20b0463cbbb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\botan.dll

Filesize
1.5MB

MD5
420c340ba0033e5d6ceadfaaf3f581e8

SHA1
9b2bc60e478bd8dfc558f76fd7a563929d82a032

SHA256
65b741839b4910da84d1b9ba135943b3911c0f427c1b402cfbf919fda9d50c34

SHA512
02303ae5d79fc750636f80e80b6acffba556a14d4eb74cd2b08406aa5b45a4286dadfdb0421c9d13aa419fd6b76fb18908bb6e033445123dc7eb833e67c28ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\libSafePublic.dll

Filesize
3.0MB

MD5
90498494c15977f96073572c4c8dbbcb

SHA1
e9cb6d9b7a5cb63b2b0f00ab8b18f7995c2b9afe

SHA256
9de3046c76dea93a19cd3bb8b4a8d09cdce15e628815015d0ef06107807309c7

SHA512
b42ed635fc65974998b17ecf52673406741ba03c1e6409f1a50bdd920b6f47eb2f3504b8867627baa76db63c23508725d3aebfbd271dbb0d9076980422914a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\net7ssh.dll

Filesize
147KB

MD5
9c5a8a2c30d00ec0f52c872f0381a0ab

SHA1
5ff2e6f71dae9150a3a3b019796f16ad3a34ae19

SHA256
85c66c3d402d45e2755de67c292efbaea247e154657fc3b44b48111b6a115dd8

SHA512
04a80fd085bed768b711275a0a5094a64dc7ba85d0acf34c6f31508fdf1bc61e6a7a211114137f0ba0f0d1374676687437cbab0b64d56a96483433cf01d8692b

Download Submit
C:\Users\Admin\AppData\Local\Temp\84BA.tmp\sec2.dll

Filesize
4.5MB

MD5
f14ee5d5533f8ea5d14494151b107d41

SHA1
bf598ee5e2bdcac6dab21f6c174404ddc17f8727

SHA256
524a9ea95103535e9224a1195537102863507dd87bfd6afddf7e09cd6856a481

SHA512
8c7d29f624e46ba95b3e6c21f5eb17503336c3fe391ae460bfecdea710385d4475868a873109ee6cd0ccbb1b3f34f18fa6ac29b7c174a2651fb2b5340cbed14e

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\QtCore4.dll

Filesize
2.4MB

MD5
608579a4ce9af71df1d02ea6d86341b1

SHA1
491b55e31f364c4766de92db3214c35e26e4e80d

SHA256
86d46e7a897df64a7384496a62305262b07698fca128702e096e76c06b97e436

SHA512
c8b102e9788d6230607ed2fbf864e660dcc0b0dd652df9ba47f2f118722faccad93a2e548f895e30d04c1c0b8087d0283c7e915a78702f0e4d40d46334b5e10a

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\QtGui4.dll

Filesize
116KB

MD5
8fe6d34f55679320b4f304a4e5ba6001

SHA1
d34f160b4c1034190aedf31e31bace435b29dba6

SHA256
ba954f9201ee3b45914774e917bd755453b934cd82a118797753d2acea2d778a

SHA512
0b38140c902645bb7290a45b2a9055af74324c3cdaa637b40af6d6a682b33a3be49fadfee2193690e98a06afc4a28acf2b2b12c4597e5672e9e5f7bd80c1b434

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\SafePublicDllHelper.dll

Filesize
16KB

MD5
0f8db4d1282a3c85e9daec94c8983182

SHA1
322c740df489539acd350eabd8163a9e329aea5f

SHA256
52009dbb180b303286630a860bc41613262a4881bbe7428dcdf00795f80cc522

SHA512
ea3f863488af13be3fb452fc3b922a42cd375316a1e21c54b13520aab683a05a56b04222835ed063d3439bdcd5f0a3443762a8341b13259b0d87df09fa532954

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\UpdateWizard.exe

Filesize
3.4MB

MD5
dbda45e95bc25a1a273a6289e3012dd4

SHA1
698ad37fdcbc0247465f7d1240e353ffc9e2f77d

SHA256
f2f8f2c2fdb2cac072262ebb4acad0357149c487a4db4f7f5947e8cb55ba0325

SHA512
46aa7ca753149cb1c840bd92b2ba288b7291371c31f45a040420089d5be5984e66a150aacd4c28b400afff787647b47eac11c3498e82e397c50f317d820e5a9e

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\botan.dll

Filesize
1.4MB

MD5
43a98283ea33eac29eb87fd085f2a59d

SHA1
59f2c9925b2cd6b59dda4ed9ffe5d618f198ef92

SHA256
4f6f11837cb0196f2933169f7bd1818da47e0b422f6ed0981911a147d684626f

SHA512
814d3757b9d94b83143a9291e0178e8a1cb6ed5b8537290951223ca04025c28727c48670641b1265f00da32e3c02b1add1ca1c81ee8f828f344d8eedb4575303

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\libSafePublic.dll

Filesize
2.5MB

MD5
f0f8a367dd7dc79fbca86be88dabf54b

SHA1
f4f614cc630eb6d80eab6af847459b53bf0a82fa

SHA256
aabeb9e029daed595328d5e9abdcd97082b844348ee99a05338a9196d0c9ac64

SHA512
513ca2403a35b84f07a54040ce8391b257799f0e0fbb3b5496ad5b69528c2f097eb9f4bd23ee73f76ea247115f1fc48005dd848c08e053083470f860dfa59fa8

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\mfc140.dll

Filesize
4.2MB

MD5
947ebb52d12fde12ad923fd17dea300c

SHA1
b617dd36ad79441e1544a9fa9067749db3b0ed7a

SHA256
ece40d2c0beb64ac73afe13ec2b86287db2b8db85bd5e8937cd035d0c8ca3d98

SHA512
c2decafd12320a879893c58371de6a0db0811e449ba6a4a97164087cf0e0cebccde6e735570ad49cd0d0d9414c4b79d6b3383afa8c529619220bfd81e9c3ee74

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\sec2.dll

Filesize
3.9MB

MD5
b24c093158b759bdcacb15246168d7e3

SHA1
0e0a87773ace459ff0dd203f5851f7314c52df25

SHA256
a38730f253b4fdb71421c19ba33ff06ec4086148ae4edf6828b24468db08eab8

SHA512
6dd5aaa377c623bea16fc1a8624c7508250c859f4ea2c65b8fe37d665960eb0642ee0a50688d1e2174fa274b7ed77dd9d5811c625d7791684f45fe1895d0f212

Download Submit
\Users\Admin\AppData\Local\Temp\84BA.tmp\securec.dll

Filesize
11KB

MD5
edd7b75bb59b1ced010e971a4b195ac6

SHA1
2762793de6e37020586d0d403af489b4779faa5d

SHA256
ad04bcefa77294ae149237310ca043444f8df2a38ed8c02e775211717dfe0da8

SHA512
3906f9dd786699539ee0cd4a6d82c7d436f4a584d3922ec2a956518d74e8ab049b25b9437e8cbfa613ee4ac121e9ef76824b40f6f29488c1ee604f662e0d4112

Download Submit
memory/2520-160-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2520-163-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2520-162-0x0000000072EC0000-0x00000000739DE000-memory.dmp

Filesize
11.1MB

Download
memory/2520-165-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2520-159-0x0000000072EC0000-0x00000000739DE000-memory.dmp

Filesize
11.1MB

Download
memory/2520-157-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2520-170-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2520-173-0x0000000071C40000-0x00000000728C3000-memory.dmp

Filesize
12.5MB

Download
memory/2520-172-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2520-175-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2520-176-0x0000000071C40000-0x00000000728C3000-memory.dmp

Filesize
12.5MB

Download
memory/2520-178-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2520-48-0x0000000000640000-0x00000000007BE000-memory.dmp

Filesize
1.5MB

Download
memory/2520-189-0x0000000072EC0000-0x00000000739DE000-memory.dmp

Filesize
11.1MB

Download
memory/2520-190-0x0000000071C40000-0x00000000728C3000-memory.dmp

Filesize
12.5MB

Download