Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:55
Behavioral task
behavioral1
Sample
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
Resource
win10v2004-20240508-en
General
-
Target
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
-
Size
888KB
-
MD5
549280b03746fe46670a1dc30a3ab699
-
SHA1
cad67c6841544445e6ab2b0b28dee9810bb2a4ac
-
SHA256
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513
-
SHA512
fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6
-
SSDEEP
24576:TkU0mTUajtBfRPJk2NzEdh2QljOBOoDHFGrTCiBZB:gmpjRBtZm2UC1lGrv
Malware Config
Signatures
-
Detects executables packed with VMProtect. 7 IoCs
resource yara_rule behavioral2/memory/3760-0-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3760-2-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/files/0x000800000002342d-8.dat INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2924-12-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2924-13-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3760-19-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2924-27-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2924 svchost.exe 1620 svchost.exe -
resource yara_rule behavioral2/memory/3760-0-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral2/memory/3760-2-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral2/files/0x000800000002342d-8.dat vmprotect behavioral2/memory/2924-12-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral2/memory/2924-13-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral2/memory/3760-19-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral2/memory/2924-27-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2924 svchost.exe 2924 svchost.exe 2924 svchost.exe 2924 svchost.exe 2924 svchost.exe 2924 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe 1620 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe Token: SeDebugPrivilege 2924 svchost.exe Token: SeDebugPrivilege 1620 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2924 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2924 svchost.exe 2924 svchost.exe 2924 svchost.exe 2924 svchost.exe 1620 svchost.exe 1620 svchost.exe 2924 svchost.exe 2924 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3760 wrote to memory of 2924 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 84 PID 3760 wrote to memory of 2924 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 84 PID 3760 wrote to memory of 2924 3760 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 84 PID 2924 wrote to memory of 1620 2924 svchost.exe 85 PID 2924 wrote to memory of 1620 2924 svchost.exe 85 PID 2924 wrote to memory of 1620 2924 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe"C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\data\svchost.exe"C:\data\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
888KB
MD5549280b03746fe46670a1dc30a3ab699
SHA1cad67c6841544445e6ab2b0b28dee9810bb2a4ac
SHA256d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513
SHA512fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6
-
Filesize
592KB
MD5c42b775ea210a4f960790c96b6efd226
SHA18503f263a4c9493242ece9e53c6a0df4430188cd
SHA256f56b1a316f19573b5a9eab6a884e6f274f58c5c9c93022e19e9b53c4126ea2d3
SHA512f83874d170dc5d8931db65a84ad21d70807ff4d3fac5c6001a8bd99167f99f5603f3421235430181648c250d29941b7e28c15c7c0b5570c5089f7c268193bf5f