3f47a4bb6db9f8f926a9f754f475d00ffa39238bc331c61b91c97b65ce76f1a8

Analysis

max time kernel
170s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31669d6dd136f2f3d2dcce5944318e64.exe
Size

4.4MB
MD5

31669d6dd136f2f3d2dcce5944318e64
SHA1

bd9efa11e0085a55c3f9102c6a811fcd26e1f79a
SHA256

3f47a4bb6db9f8f926a9f754f475d00ffa39238bc331c61b91c97b65ce76f1a8
SHA512

bdb63cc1638231682629addf32fb9de51257c46401a170a2f700ea288584b8cc53864bfd44cf81c1fef202e30018209437bfde60834ced84c61fe96d54eb3654
SSDEEP

98304:lqs7WQUP+Mxzy8RjJ+6qKgv9dAdw+EKnU3pO9uCon:wsCQy+N8RjJUKO9dagRZOg

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5036	vsxdz.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1120-1-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral2/memory/1120-5-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral2/files/0x000700000002331e-14.dat	vmprotect
behavioral2/memory/1120-15-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral2/memory/5036-18-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral2/memory/5036-22-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral2/memory/5036-27-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1120	31669d6dd136f2f3d2dcce5944318e64.exe
5036	vsxdz.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1120	31669d6dd136f2f3d2dcce5944318e64.exe
1120	31669d6dd136f2f3d2dcce5944318e64.exe
1120	31669d6dd136f2f3d2dcce5944318e64.exe
1120	31669d6dd136f2f3d2dcce5944318e64.exe
5036	vsxdz.exe
5036	vsxdz.exe
5036	vsxdz.exe
5036	vsxdz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 5036	1120	31669d6dd136f2f3d2dcce5944318e64.exe	96
PID 1120 wrote to memory of 5036	1120	31669d6dd136f2f3d2dcce5944318e64.exe	96
PID 1120 wrote to memory of 5036	1120	31669d6dd136f2f3d2dcce5944318e64.exe	96

C:\Users\Admin\AppData\Local\Temp\31669d6dd136f2f3d2dcce5944318e64.exe
"C:\Users\Admin\AppData\Local\Temp\31669d6dd136f2f3d2dcce5944318e64.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\ztt\vsxdz.exe
  "C:\Users\Admin\AppData\Local\Temp\ztt\vsxdz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
1⤵
PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ztt\vsxdz.exe

Filesize
4.4MB

MD5
d6f7050e5e2cb8eb294d513c4b9b3951

SHA1
75935426b32daf2aaf904836a8762152e1b50303

SHA256
487ee122b55bf69e15e428a20a5318905b7c29422fcc2592f37a33d317cb27e1

SHA512
bca57ed3d479bba3a658a528bf5cddffaf7ecb101ff108c014a5afe4bbb236df84505e7a70ee6264530e6ad2fb92cd12e23a79a3c87c8e4e12580bd0ee575444

Download Submit
memory/1120-15-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/1120-5-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/1120-3-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1120-0-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1120-4-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1120-6-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1120-7-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1120-8-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1120-1-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/1120-2-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/5036-18-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/5036-17-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5036-19-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/5036-20-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/5036-21-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/5036-22-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/5036-23-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5036-24-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/5036-27-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download