eda360f8f9d868886fed471f8154089a2309a1869acf5ba49d765bfeb4dfda1e

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV_0025.exe
Size

4.7MB
MD5

722b884c9d602ffa4703b2a0ab26ba5a
SHA1

8c8e608abe55d6769b6afb77cc69918391e8da70
SHA256

eda360f8f9d868886fed471f8154089a2309a1869acf5ba49d765bfeb4dfda1e
SHA512

8c978eba9e592cb0305bf7185ef2b1af58ea0794ce025512440c8dc1b59d1485e33bc8970abe191e93828e233d453a72a1abff80574b993ac585297d1d01319e
SSDEEP

24576:oGZq8j88T+NfdKeGUmTD0kdWmclqZ8WBnCfDeKmx0dg9n3dOgU++PmRawMreZG4C:p8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vmorfrblmrs = "C:\\Users\\Admin\\AppData\\Roaming\\Vmorfrblmrs.exe"	INV_0025.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2580	2136	INV_0025.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2136	INV_0025.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	INV_0025.exe
Token: SeDebugPrivilege	2136	INV_0025.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30
PID 2136 wrote to memory of 2580	2136	INV_0025.exe	30

C:\Users\Admin\AppData\Local\Temp\INV_0025.exe
"C:\Users\Admin\AppData\Local\Temp\INV_0025.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\INV_0025.exe
  "C:\Users\Admin\AppData\Local\Temp\INV_0025.exe"
  2⤵
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000001380000-0x000000000182C000-memory.dmp

Filesize
4.7MB

Download
memory/2136-2-0x0000000006010000-0x0000000006262000-memory.dmp

Filesize
2.3MB

Download
memory/2136-3-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-4-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-40-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-6-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-44-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-52-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-8-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-60-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-62-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-10-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-12-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-14-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-16-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-18-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-20-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-22-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-24-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-26-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-28-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-30-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-32-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-34-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-4891-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-4890-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

Filesize
304KB

Download
memory/2136-4889-0x0000000006840000-0x00000000068CE000-memory.dmp

Filesize
568KB

Download
memory/2136-66-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-64-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-58-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-56-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-54-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-50-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-48-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-46-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-42-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-38-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-36-0x0000000006010000-0x000000000625C000-memory.dmp

Filesize
2.3MB

Download
memory/2136-4892-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2136-4893-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-4894-0x0000000000E50000-0x0000000000EA4000-memory.dmp

Filesize
336KB

Download
memory/2136-4904-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download