7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe
Size

6.1MB
MD5

50040aa4fcdf183865b768db08f93fc8
SHA1

442c47025a646e3bfecfc30f1fd229c7d083881c
SHA256

7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d
SHA512

97f3b59e2fc0ce87a4c3dc4fbce49d8d1fca17337f198d5fb6886088d380bb7c2ac82d478e872a56b3ce17487725a5f8586f3868c9f6cde2b80e88a3a415c0f0
SSDEEP

98304:YyXYRyTdoWB2A3eOAJG6+ccZlWUKylsC7nRf/z7s08sQzffscv/cbTbGJZfpJLqy:K8TeWJ3ek1iUKylp7nRT8FfscXQGJBHr

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2644	work.exe
2828	loglraw.exe

Loads dropped DLL 5 IoCs

pid	Process
2072	cmd.exe
2644	work.exe
2644	work.exe
2644	work.exe
2644	work.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000015678-24.dat	vmprotect
behavioral1/memory/2828-43-0x00000000011B0000-0x0000000001AB4000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	loglraw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2072	1668	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	28
PID 1668 wrote to memory of 2072	1668	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	28
PID 1668 wrote to memory of 2072	1668	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	28
PID 1668 wrote to memory of 2072	1668	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	28
PID 2072 wrote to memory of 2644	2072	cmd.exe	30
PID 2072 wrote to memory of 2644	2072	cmd.exe	30
PID 2072 wrote to memory of 2644	2072	cmd.exe	30
PID 2072 wrote to memory of 2644	2072	cmd.exe	30
PID 2644 wrote to memory of 2828	2644	work.exe	31
PID 2644 wrote to memory of 2828	2644	work.exe	31
PID 2644 wrote to memory of 2828	2644	work.exe	31
PID 2644 wrote to memory of 2828	2644	work.exe	31

C:\Users\Admin\AppData\Local\Temp\7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe
"C:\Users\Admin\AppData\Local\Temp\7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
5.8MB

MD5
354723d7db32101f5abcea2a9fea41db

SHA1
004efef24d96df7842eac576928372b73369b34d

SHA256
230d1bfb55ee137e9235af2a22e124eaeb5df63b2b46369ec91b391e74113c00

SHA512
171a32d046bf5d5394b4ab4e4c2915e5bca7869ab979c5cecfc209fe6822a6bce7945762948ef64c3f2d03c9040c4f23ac19439faada57a61068581c1d83e1e2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe

Filesize
5.5MB

MD5
972041f782ed8a26d04becf8b6717e70

SHA1
235cd9522503b69f34195de93f8f8d9e5d75414e

SHA256
31dded008e6a8f5d8489e0fbe8abce5de8e0b25e7733c4c6818aa7e687cf2f1c

SHA512
bb0288de9dff5f26f599f23c0d587526de43ae58e337ffd07a29614e86cb8f62dfb03c7fcae48c7398b2c1113b0a84202d43f45312af56e1d5157a74186898bc

Download Submit
memory/2828-40-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2828-38-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2828-42-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2828-43-0x00000000011B0000-0x0000000001AB4000-memory.dmp

Filesize
9.0MB

Download