d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
Size

888KB
MD5

549280b03746fe46670a1dc30a3ab699
SHA1

cad67c6841544445e6ab2b0b28dee9810bb2a4ac
SHA256

d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513
SHA512

fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6
SSDEEP

24576:TkU0mTUajtBfRPJk2NzEdh2QljOBOoDHFGrTCiBZB:gmpjRBtZm2UC1lGrv

Score

9^/10

vmprotect

Malware Config

Signatures

Detects executables packed with VMProtect. 6 IoCs

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000400000-0x00000000006BD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2964-2-0x0000000000400000-0x00000000006BD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/files/0x000a000000015f7a-5.dat	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2996-14-0x0000000000400000-0x00000000006BD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2964-20-0x0000000000400000-0x00000000006BD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2996-34-0x0000000000400000-0x00000000006BD000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 2 IoCs

pid	Process
2996	svchost.exe
2172	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2996	svchost.exe
2996	svchost.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000400000-0x00000000006BD000-memory.dmp	vmprotect
behavioral1/memory/2964-2-0x0000000000400000-0x00000000006BD000-memory.dmp	vmprotect
behavioral1/files/0x000a000000015f7a-5.dat	vmprotect
behavioral1/memory/2996-14-0x0000000000400000-0x00000000006BD000-memory.dmp	vmprotect
behavioral1/memory/2964-20-0x0000000000400000-0x00000000006BD000-memory.dmp	vmprotect
behavioral1/memory/2996-34-0x0000000000400000-0x00000000006BD000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
Token: SeDebugPrivilege	2996	svchost.exe
Token: SeDebugPrivilege	2172	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2996	svchost.exe
1764	DllHost.exe
1764	DllHost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2172	svchost.exe
2172	svchost.exe
2996	svchost.exe
2996	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2996	2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe	28
PID 2964 wrote to memory of 2996	2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe	28
PID 2964 wrote to memory of 2996	2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe	28
PID 2964 wrote to memory of 2996	2964	d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe	28
PID 2996 wrote to memory of 2172	2996	svchost.exe	31
PID 2996 wrote to memory of 2172	2996	svchost.exe	31
PID 2996 wrote to memory of 2172	2996	svchost.exe	31
PID 2996 wrote to memory of 2172	2996	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
"C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\data\svchost.exe
    "C:\data\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2172

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\data\1.jpg

Filesize
29KB

MD5
d626e7d19ac19339b2522c3ee500f82c

SHA1
d6ce546819d97cb27c344835ed78370236ee46f1

SHA256
787599a00d40cc58f29f3bff553a6750c9aba756250fe5710464fb717352bacf

SHA512
55fae601063e517c5a272556a968e1b835ae3e243241c16fd3fa70268e9a9c697641d80bda0560475f2d6e455475d6e8defdc06d3f4b26151271809f4e92fe7f

Download Submit
C:\data\2.jpg

Filesize
49KB

MD5
81a1e5baff44012bc98c3cabd2fd38e7

SHA1
151b386ab287e34e0b1eae328eb8e8ced13b2783

SHA256
f03127e9305daebf6bfa58e5b81332c332a681f29b26036b326bc314b2f53ff2

SHA512
1ff56afc51a05cf5d0bfb17823e72247f585afcf4f9ac51dea11f9cfa6455e3f36e92bc7786cdc3c740270b6a3c4314c1ee6088fc86377e03fef9228b5ea361d

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
888KB

MD5
549280b03746fe46670a1dc30a3ab699

SHA1
cad67c6841544445e6ab2b0b28dee9810bb2a4ac

SHA256
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513

SHA512
fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6

Download Submit
\data\svchost.exe

Filesize
592KB

MD5
c42b775ea210a4f960790c96b6efd226

SHA1
8503f263a4c9493242ece9e53c6a0df4430188cd

SHA256
f56b1a316f19573b5a9eab6a884e6f274f58c5c9c93022e19e9b53c4126ea2d3

SHA512
f83874d170dc5d8931db65a84ad21d70807ff4d3fac5c6001a8bd99167f99f5603f3421235430181648c250d29941b7e28c15c7c0b5570c5089f7c268193bf5f

Download Submit
memory/1764-23-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2964-11-0x0000000003000000-0x00000000032BD000-memory.dmp

Filesize
2.7MB

Download
memory/2964-20-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2964-13-0x0000000003000000-0x00000000032BD000-memory.dmp

Filesize
2.7MB

Download
memory/2964-0-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2964-2-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2996-22-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/2996-14-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2996-34-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download