a8377270486aec3c994de7c2ccd7b53c791ff525ed124a29c4584ecb49ad4938

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

㶮.exe
Size

1.3MB
MD5

c968a7435252b03172f3ce2203d2cb3f
SHA1

6a82d3c7562f44a2a154640145034ea0977c1484
SHA256

14c5d6b1a0b1eef488240bc71d2011dead947721dd73de1591dfedf145e481cf
SHA512

763534e570494408104008016cd354e2dbb91e8aad043807d84e1a789f47517bd09742916ea1e9b17619c7c0cb424d443f7a6a8e43ca2414c4dfa547b559a3b7
SSDEEP

24576:w5q9mwQVKgUT1EIAThEi1r5alT96sJokqI/Zv7d6TUeLOPJZi:w5q4ygUTixh/569CI/ZjJea/i

Score

7^/10

vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

㶮.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	㶮.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3044-0-0x0000000000400000-0x0000000000735000-memory.dmp	vmprotect
behavioral2/memory/3044-1-0x0000000000400000-0x0000000000735000-memory.dmp	vmprotect
behavioral2/memory/3044-14-0x0000000000400000-0x0000000000735000-memory.dmp	vmprotect

Drops file in Program Files directory 1 IoCs

Processes:

㶮.exe

description ioc process

File created C:\Program Files\Internet Explorer\nvudp.exe 㶮.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Internet Explorer\nvudp.exe	㶮.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

㶮.exe

pid	process
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe
3044	㶮.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

㶮.exe

pid process

3044 㶮.exe
3044 㶮.exe

C:\Users\Admin\AppData\Local\Temp\㶮.exe
"C:\Users\Admin\AppData\Local\Temp\㶮.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\nvudp.exe

Filesize
256B

MD5
83a513d1c7f655b3587fb25337ccf8c8

SHA1
61a0718316c1064ebe54b3803a48303aad8a533f

SHA256
19174ec8ce1d63609c58455f64f83806c6c7e4c3e412ea92b0175fe48409b75e

SHA512
db273718ffd7ce6123b954767ab999e216f692c7b9d3fcb28c65dcb855df1b33626593a7aadf39cf3d72ff3d99b09dc242e3b7a46281a30fbddb2b67590a9e7b

Download Submit
memory/3044-0-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/3044-1-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/3044-3-0x0000000076310000-0x0000000076311000-memory.dmp

Filesize
4KB

Download
memory/3044-13-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download
memory/3044-14-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download