Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 04:55

General

  • Target

    d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe

  • Size

    888KB

  • MD5

    549280b03746fe46670a1dc30a3ab699

  • SHA1

    cad67c6841544445e6ab2b0b28dee9810bb2a4ac

  • SHA256

    d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513

  • SHA512

    fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6

  • SSDEEP

    24576:TkU0mTUajtBfRPJk2NzEdh2QljOBOoDHFGrTCiBZB:gmpjRBtZm2UC1lGrv

Score
9/10

Malware Config

Signatures

  • Detects executables packed with VMProtect. 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
    "C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\data\svchost.exe
        "C:\data\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2172
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\data\1.jpg

    Filesize

    29KB

    MD5

    d626e7d19ac19339b2522c3ee500f82c

    SHA1

    d6ce546819d97cb27c344835ed78370236ee46f1

    SHA256

    787599a00d40cc58f29f3bff553a6750c9aba756250fe5710464fb717352bacf

    SHA512

    55fae601063e517c5a272556a968e1b835ae3e243241c16fd3fa70268e9a9c697641d80bda0560475f2d6e455475d6e8defdc06d3f4b26151271809f4e92fe7f

  • C:\data\2.jpg

    Filesize

    49KB

    MD5

    81a1e5baff44012bc98c3cabd2fd38e7

    SHA1

    151b386ab287e34e0b1eae328eb8e8ced13b2783

    SHA256

    f03127e9305daebf6bfa58e5b81332c332a681f29b26036b326bc314b2f53ff2

    SHA512

    1ff56afc51a05cf5d0bfb17823e72247f585afcf4f9ac51dea11f9cfa6455e3f36e92bc7786cdc3c740270b6a3c4314c1ee6088fc86377e03fef9228b5ea361d

  • \Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    888KB

    MD5

    549280b03746fe46670a1dc30a3ab699

    SHA1

    cad67c6841544445e6ab2b0b28dee9810bb2a4ac

    SHA256

    d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513

    SHA512

    fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6

  • \data\svchost.exe

    Filesize

    592KB

    MD5

    c42b775ea210a4f960790c96b6efd226

    SHA1

    8503f263a4c9493242ece9e53c6a0df4430188cd

    SHA256

    f56b1a316f19573b5a9eab6a884e6f274f58c5c9c93022e19e9b53c4126ea2d3

    SHA512

    f83874d170dc5d8931db65a84ad21d70807ff4d3fac5c6001a8bd99167f99f5603f3421235430181648c250d29941b7e28c15c7c0b5570c5089f7c268193bf5f

  • memory/1764-23-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/2964-11-0x0000000003000000-0x00000000032BD000-memory.dmp

    Filesize

    2.7MB

  • memory/2964-20-0x0000000000400000-0x00000000006BD000-memory.dmp

    Filesize

    2.7MB

  • memory/2964-13-0x0000000003000000-0x00000000032BD000-memory.dmp

    Filesize

    2.7MB

  • memory/2964-0-0x0000000000400000-0x00000000006BD000-memory.dmp

    Filesize

    2.7MB

  • memory/2964-2-0x0000000000400000-0x00000000006BD000-memory.dmp

    Filesize

    2.7MB

  • memory/2996-22-0x0000000002590000-0x0000000002592000-memory.dmp

    Filesize

    8KB

  • memory/2996-14-0x0000000000400000-0x00000000006BD000-memory.dmp

    Filesize

    2.7MB

  • memory/2996-34-0x0000000000400000-0x00000000006BD000-memory.dmp

    Filesize

    2.7MB