146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e14552ab2611f0bb677a15cb673ea7d5.exe
Size

497KB
MD5

e14552ab2611f0bb677a15cb673ea7d5
SHA1

7d1157a982601536c840c88c7776f495435bd9cd
SHA256

146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297
SHA512

9f413cdb38b9f21e9b0a2f8115d2285e25641f6ffd40358b96ddad1039a4845722220436463c8566d119cce5cf2f86c2569cdb52b5067e84117f42f44676315d
SSDEEP

6144:jk5M5FaYJsX6GH8JadDFIMNQhUGVDAT4l+m/60+B:o92iH8JldDAT4lh/cB

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	Vmeloa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-0-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/files/0x00070000000142a5-10.dat	upx
behavioral1/memory/2984-12-0x0000000000400000-0x000000000047E000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	e14552ab2611f0bb677a15cb673ea7d5.exe
File created	C:\Windows\Vmeloa.exe	e14552ab2611f0bb677a15cb673ea7d5.exe
File opened for modification	C:\Windows\Vmeloa.exe	e14552ab2611f0bb677a15cb673ea7d5.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Vmeloa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Vmeloa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	e14552ab2611f0bb677a15cb673ea7d5.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main	Vmeloa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe
2984	Vmeloa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1028	e14552ab2611f0bb677a15cb673ea7d5.exe
2984	Vmeloa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2984	1028	e14552ab2611f0bb677a15cb673ea7d5.exe	28
PID 1028 wrote to memory of 2984	1028	e14552ab2611f0bb677a15cb673ea7d5.exe	28
PID 1028 wrote to memory of 2984	1028	e14552ab2611f0bb677a15cb673ea7d5.exe	28
PID 1028 wrote to memory of 2984	1028	e14552ab2611f0bb677a15cb673ea7d5.exe	28

C:\Users\Admin\AppData\Local\Temp\e14552ab2611f0bb677a15cb673ea7d5.exe
"C:\Users\Admin\AppData\Local\Temp\e14552ab2611f0bb677a15cb673ea7d5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\Vmeloa.exe
  C:\Windows\Vmeloa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
344B

MD5
be4bed87f2243f9427bcfea419691ed4

SHA1
54ceae5f0728aec42966318870187a877536226f

SHA256
ab25795d60c5dbec27487f1887921141175a9c84013da982a172a66e60c6302f

SHA512
ac714cb43f086e70f9871c84032c811a026a3053d60deb67f0c7787793d1e1ec893ed02c514714c4fee3c7d432ac0ad890136675b6743faa59a1dde05a11e243

Download Submit
C:\Windows\Vmeloa.exe

Filesize
497KB

MD5
e14552ab2611f0bb677a15cb673ea7d5

SHA1
7d1157a982601536c840c88c7776f495435bd9cd

SHA256
146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297

SHA512
9f413cdb38b9f21e9b0a2f8115d2285e25641f6ffd40358b96ddad1039a4845722220436463c8566d119cce5cf2f86c2569cdb52b5067e84117f42f44676315d

Download Submit
memory/1028-17859-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1028-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1028-11-0x00000000022F0000-0x000000000236E000-memory.dmp

Filesize
504KB

Download
memory/1028-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1028-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1028-22530-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2984-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2984-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2984-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2984-38414-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2984-43398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2984-48259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download