f0b202162d71ce8170aab9f2ec2df1eef0809d7f8efc33bcac24d9bb202c12c3

Analysis

max time kernel
7s
max time network
7s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 18:56

Target

7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe
Size

6.1MB
MD5

50040aa4fcdf183865b768db08f93fc8
SHA1

442c47025a646e3bfecfc30f1fd229c7d083881c
SHA256

7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d
SHA512

97f3b59e2fc0ce87a4c3dc4fbce49d8d1fca17337f198d5fb6886088d380bb7c2ac82d478e872a56b3ce17487725a5f8586f3868c9f6cde2b80e88a3a415c0f0
SSDEEP

98304:YyXYRyTdoWB2A3eOAJG6+ccZlWUKylsC7nRf/z7s08sQzffscv/cbTbGJZfpJLqy:K8TeWJ3ek1iUKylp7nRT8FfscXQGJBHr

Score

7^/10

vmprotect

Executes dropped EXE 2 IoCs

pid	Process
3680	work.exe
5036	loglraw.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x000200000002a9c5-14.dat	vmprotect
behavioral1/memory/5036-20-0x0000000000260000-0x0000000000B64000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	loglraw.exe
5036	loglraw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 1324	3392	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	78
PID 3392 wrote to memory of 1324	3392	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	78
PID 3392 wrote to memory of 1324	3392	7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe	78
PID 1324 wrote to memory of 3680	1324	cmd.exe	82
PID 1324 wrote to memory of 3680	1324	cmd.exe	82
PID 1324 wrote to memory of 3680	1324	cmd.exe	82
PID 3680 wrote to memory of 5036	3680	work.exe	83
PID 3680 wrote to memory of 5036	3680	work.exe	83
PID 3680 wrote to memory of 5036	3680	work.exe	83

C:\Users\Admin\AppData\Local\Temp\7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe
"C:\Users\Admin\AppData\Local\Temp\7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5036

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
5.8MB

MD5
354723d7db32101f5abcea2a9fea41db

SHA1
004efef24d96df7842eac576928372b73369b34d

SHA256
230d1bfb55ee137e9235af2a22e124eaeb5df63b2b46369ec91b391e74113c00

SHA512
171a32d046bf5d5394b4ab4e4c2915e5bca7869ab979c5cecfc209fe6822a6bce7945762948ef64c3f2d03c9040c4f23ac19439faada57a61068581c1d83e1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe

Filesize
5.5MB

MD5
972041f782ed8a26d04becf8b6717e70

SHA1
235cd9522503b69f34195de93f8f8d9e5d75414e

SHA256
31dded008e6a8f5d8489e0fbe8abce5de8e0b25e7733c4c6818aa7e687cf2f1c

SHA512
bb0288de9dff5f26f599f23c0d587526de43ae58e337ffd07a29614e86cb8f62dfb03c7fcae48c7398b2c1113b0a84202d43f45312af56e1d5157a74186898bc

Download Submit
memory/5036-19-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/5036-20-0x0000000000260000-0x0000000000B64000-memory.dmp

Filesize
9.0MB

Download