Overview

overview

8

Static

static

3

6ce2dd44af...de.exe

windows7-x64

8

6ce2dd44af...de.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ce2dd44af698342d0f4afdb2ac98bde.exe

  • Size

    3.0MB

  • MD5

    6ce2dd44af698342d0f4afdb2ac98bde

  • SHA1

    a3ec89d5554106a44da1b8031ebd392bb45f604e

  • SHA256

    af65ccab4775f2f089c7bb81185b2913c250e730ff4825f644468f9120a3840f

  • SHA512

    1a1d90f4dfd18b3a63ae8bee8a09399ffe8f27cbb8878b03278490be91bc2640ff6ab9783d8d9c99d200cd5d1eeb818d7e807b870a08270e3765ef08d60a76e2

  • SSDEEP

    49152:3nB567vTZhkF3uDWUQG1+HPT7REpTlqs0n5IKQPMLQgaG17wNR0YbWAb/Eb667RY:G77ZhkwDWUJW/AQs0aKkgaGUNSYbWCsU

Score
8/10
defense_evasiondiscoveryvmprotect

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ce2dd44af698342d0f4afdb2ac98bde.exe
    "C:\Users\Admin\AppData\Local\Temp\6ce2dd44af698342d0f4afdb2ac98bde.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\YY.exe
      C:\Windows\system32\\YY.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2352
    • C:\Users\Admin\AppData\Local\Temp\77.exe
      C:\Users\Admin\AppData\Local\Temp\\77.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\360saf1.exe
        "C:\Windows\360saf1.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\77.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2260
    • C:\Windows\SysWOW64\ÍõÕß.exe
      C:\Windows\system32\\ÍõÕß.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1304
  • C:\Windows\360saf1.exe
    C:\Windows\360saf1.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\info_48[1]
      Filesize

      4KB

      MD5

      5565250fcc163aa3a79f0b746416ce69

      SHA1

      b97cc66471fcdee07d0ee36c7fb03f342c231f8f

      SHA256

      51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

      SHA512

      e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\NewErrorPageTemplate[2]
      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\background_gradient[2]
      Filesize

      453B

      MD5

      20f0110ed5e4e0d5384a496e4880139b

      SHA1

      51f5fc61d8bf19100df0f8aadaa57fcd9c086255

      SHA256

      1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

      SHA512

      5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\dnserrordiagoff[1]
      Filesize

      1KB

      MD5

      47f581b112d58eda23ea8b2e08cf0ff0

      SHA1

      6ec1df5eaec1439573aef0fb96dabfc953305e5b

      SHA256

      b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

      SHA512

      187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\ErrorPageTemplate[1]
      Filesize

      2KB

      MD5

      f4fe1cb77e758e1ba56b8a8ec20417c5

      SHA1

      f4eda06901edb98633a686b11d02f4925f827bf0

      SHA256

      8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

      SHA512

      62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\bullet[2]
      Filesize

      447B

      MD5

      26f971d87ca00e23bd2d064524aef838

      SHA1

      7440beff2f4f8fabc9315608a13bf26cabad27d9

      SHA256

      1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

      SHA512

      c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\errorPageStrings[1]
      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\httpErrorPagesScripts[1]
      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\navcancl[1]
      Filesize

      2KB

      MD5

      4bcfe9f8db04948cddb5e31fe6a7f984

      SHA1

      42464c70fc16f3f361c2419751acd57d51613cdf

      SHA256

      bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

      SHA512

      bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\77.exe
      Filesize

      31KB

      MD5

      a78d03fdb023268833e60c4676335a86

      SHA1

      298b48caea19fb3ef2333c490427fffc7d28d208

      SHA256

      0fcbed45204a331614c2a9e911f39709775c6644939ca5f77d08ade9c5988444

      SHA512

      e9702ca220718b52784c3c10a6e8ff2746082686ab856462e08595848e02ee281d2263c1e1afed0aec6a5eb98e83beadcd6e1397aa3597f72c2db3cff6686168

      Download Submit

    • \Windows\SysWOW64\YY.exe
      Filesize

      548KB

      MD5

      2ede7bfb91045bda50276e8a505e4073

      SHA1

      766f4af7d67310dfe5924a30e1fe3524da17bd3d

      SHA256

      74281acec4111a5a0736c74eef5cccbe9b66218396b4b079e067c9d1671fb8c9

      SHA512

      3eb90d116312c5360ff02e2eb38343724e928c13a29738fa7510bad0ad844b49f8b76f8cd184907c9b4a37baba9240fb4f4be82336436014a55baabf834ec9f1

      Download Submit

    • \Windows\SysWOW64\ÍõÕß.exe
      Filesize

      2.7MB

      MD5

      12acf5a94dd99df5bb73a1a79c89f5e6

      SHA1

      ff49377e830e0a9c548615ec3f7f6314b4d681cd

      SHA256

      865d9a2cfe2921c8385f8fbd07f779faae6ed20b0758f01e473c549410f3383f

      SHA512

      4994e408201c4327c8f687dfb934ce8032dbead6f3e567d72657e8a3c315c9ca9729b7d83f13ad7fe5326ee4c8385197a8e7ebde9bcf56bd0bd57d1a0ce53e1d

      Download Submit

    • memory/1304-36-0x0000000000400000-0x0000000000A04000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1304-186-0x0000000000400000-0x0000000000A04000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1304-37-0x0000000000400000-0x0000000000A04000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1976-33-0x0000000002A20000-0x0000000003024000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1976-34-0x0000000002A20000-0x0000000003024000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2660-44-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2660-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2660-42-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download