e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
Size

3.7MB
MD5

05e82b287218043df6c8560cd0e2719c
SHA1

518aa65ddc31221ffb86c08284cc09cce822ca61
SHA256

6f69f5987484255099267987682ef6a3c38d58bdb835f259e0752c326ccde922
SHA512

255b3b1d65131a1ae6c05f0fd1b028a91b1ac8dbad2a9714af64dcb2568342b1fc9a0e9e6fc939b63cd43c3527658d411c64f49be740e092134639b01f0d5746
SSDEEP

98304:ypuxOhnkR+NK/jlEGsfVN6O4I0eD3t29t4qIYmcArc:ypuxqxNK5EG2VN6NI0eDdgtjnArc

Score

8^/10

persistence privilege_escalation vmprotect

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Executes dropped EXE 1 IoCs

Processes:

anhxrcb.exe

pid process

3016 anhxrcb.exe

pid	process
3016	anhxrcb.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral5/memory/1044-0-0x0000000000400000-0x0000000000995000-memory.dmp	vmprotect
C:\PROGRA~3\Mozilla\anhxrcb.exe	vmprotect
behavioral5/memory/3016-10-0x0000000000400000-0x0000000000995000-memory.dmp	vmprotect

Drops file in Program Files directory 2 IoCs

Processes:

[DemonArchives]05e82b287218043df6c8560cd0e2719c.exeanhxrcb.exe

description	ioc	process
File created	C:\PROGRA~3\Mozilla\anhxrcb.exe	[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
File created	C:\PROGRA~3\Mozilla\fqurfhn.dll	anhxrcb.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

[DemonArchives]05e82b287218043df6c8560cd0e2719c.exeanhxrcb.exe

pid process

1044 [DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
3016 anhxrcb.exe

pid	process
1044	[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
3016	anhxrcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1940 wrote to memory of 3016	1940	taskeng.exe	anhxrcb.exe
PID 1940 wrote to memory of 3016	1940	taskeng.exe	anhxrcb.exe
PID 1940 wrote to memory of 3016	1940	taskeng.exe	anhxrcb.exe
PID 1940 wrote to memory of 3016	1940	taskeng.exe	anhxrcb.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {A5921480-A817-4002-B34F-EFF0DD2225AC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\PROGRA~3\Mozilla\anhxrcb.exe
C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\anhxrcb.exe

Filesize
3.7MB

MD5
1fdad3d57d9201ba9a6ce9fc6b463400

SHA1
a6fbc7a221444a069a547772231efe64ccee713d

SHA256
ff84c96f1936ead5e0414bda7864b823b8a6d15b2ee4dbef070b0745803850a8

SHA512
69dfe497ddd43e510a02563e4443dcddf1330873c38dbb1a50b89b6bbde9c07d0788f4246625affe8a563f9bc0ea51da7a71c0e2ecd840510767c1c989778ea1

Download Submit
memory/1044-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1044-2-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1044-0-0x0000000000400000-0x0000000000995000-memory.dmp

Filesize
5.6MB

Download
memory/1044-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3016-10-0x0000000000400000-0x0000000000995000-memory.dmp

Filesize
5.6MB

Download
memory/3016-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3016-11-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/3016-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download