Overview
overview
10Static
static
3VMM.zip
windows7-x64
7VMM.zip
windows10-2004-x64
1Data.exe
windows7-x64
1Data.exe
windows10-2004-x64
1Setup.exe
windows7-x64
5Setup.exe
windows10-2004-x64
10iepdf32.dll
windows7-x64
3iepdf32.dll
windows10-2004-x64
3indecorum.tiff
windows7-x64
3indecorum.tiff
windows10-2004-x64
3plugins/Co...st.dll
windows7-x64
1plugins/Co...st.dll
windows10-2004-x64
1plugins/Np...er.dll
windows7-x64
1plugins/Np...er.dll
windows10-2004-x64
1plugins/Np...rt.dll
windows7-x64
1plugins/Np...rt.dll
windows10-2004-x64
1plugins/mi...ls.dll
windows7-x64
1plugins/mi...ls.dll
windows10-2004-x64
1rubadub.odp
windows7-x64
1rubadub.odp
windows10-2004-x64
1updater/GUP.exe
windows7-x64
1updater/GUP.exe
windows10-2004-x64
6updater/LICENSE
windows7-x64
1updater/LICENSE
windows10-2004-x64
1updater/README.md
windows7-x64
3updater/README.md
windows10-2004-x64
3updater/enco.exe
windows7-x64
6updater/enco.exe
windows10-2004-x64
6updater/gup.xml
windows7-x64
1updater/gup.xml
windows10-2004-x64
1updater/libcurl.dll
windows7-x64
1updater/libcurl.dll
windows10-2004-x64
1Analysis
-
max time kernel
102s -
max time network
25s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
VMM.zip
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
VMM.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Data.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Data.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Setup.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral7
Sample
iepdf32.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
iepdf32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
indecorum.tiff
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
indecorum.tiff
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
plugins/Config/nppPluginList.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
plugins/NppConverter/NppConverter.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
plugins/NppExport/NppExport.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
plugins/NppExport/NppExport.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
plugins/mimeTools/mimeTools.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
rubadub.odp
Resource
win7-20240319-en
Behavioral task
behavioral20
Sample
rubadub.odp
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
updater/GUP.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
updater/GUP.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
updater/LICENSE
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
updater/LICENSE
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
updater/README.md
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
updater/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
updater/enco.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
updater/enco.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
updater/gup.xml
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
updater/gup.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
updater/libcurl.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
updater/libcurl.dll
Resource
win10v2004-20240226-en
General
-
Target
VMM.zip
-
Size
14.6MB
-
MD5
06c696dec212fe9a135fcc5a15a9a134
-
SHA1
84ee0bfdffcca7aeb588fc7900cb859d88ab0b5b
-
SHA256
5344ad88a5cd21e8c2b396d4c0ff00bf3bb2c09aee63c7eb6f72a86c1a5398f9
-
SHA512
734fe295516172adb5968fd296e16db6daec73c932860db8b45e843f9eb56e1a00ee2908dd53ec533c27d1aaf3839b0fe0ad0a898b4d24f18eeadcc6b51620d8
-
SSDEEP
393216:6Lnku9vqgEr3sLmwawkhpNtmAbwFihMXaYFOv0rl66Qwl6hPK/8aeG:6LnjV2sLXBkNtmAEFihoj95XQwMpa/
Malware Config
Signatures
-
Loads dropped DLL 7 IoCs
pid Process 1640 netsh.exe 2020 RunDll.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1692 set thread context of 1640 1692 Setup.exe 36 -
Program crash 1 IoCs
pid pid_target Process procid_target 1940 2020 WerFault.exe 38 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1692 Setup.exe 1692 Setup.exe 1640 netsh.exe 1640 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1692 Setup.exe 1640 netsh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1692 Setup.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1640 1692 Setup.exe 36 PID 1692 wrote to memory of 1640 1692 Setup.exe 36 PID 1692 wrote to memory of 1640 1692 Setup.exe 36 PID 1692 wrote to memory of 1640 1692 Setup.exe 36 PID 1692 wrote to memory of 1640 1692 Setup.exe 36 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 1640 wrote to memory of 2020 1640 netsh.exe 38 PID 2020 wrote to memory of 1940 2020 RunDll.exe 40 PID 2020 wrote to memory of 1940 2020 RunDll.exe 40 PID 2020 wrote to memory of 1940 2020 RunDll.exe 40 PID 2020 wrote to memory of 1940 2020 RunDll.exe 40
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\VMM.zip1⤵PID:3028
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:3068
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\RunDll.exeC:\Users\Admin\AppData\Local\Temp\RunDll.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2004⤵
- Loads dropped DLL
- Program crash
PID:1940
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD59515b07eb3a87b926aad8d9dd64aa454
SHA13ac6bd117e11a308be46eeb7f9f4637b8a482d5f
SHA25659da866b0475686721a7533c8da1fdb3dfc5c90afc7c08772cad1dc1f358dad8
SHA51210922f541e401b5a52cce8b4ce31524f595cae709154d71d8adc6453959b7187edfe0cd650693b08235788c875c63c39b51271338cf078272a91cd1eb9d1b037
-
Filesize
3.6MB
MD5726444379dbb621f5f117a2605425be1
SHA11700e8c51b39a8000bb41ee8b25940a6962c305b
SHA256a642496f090ca7c54dc57e9ae6f5fe65b3a233dcdf7a2b734f58be23a388b1e9
SHA51228f04eef12ae8d58dd67d956a1bcce0fc3dad579105c4be19432cb902b89977ffb8f9ac85506ce9461582276cd4c5c7be476016c4d9cf3f67bf7f1674c5cd267