Overview

overview

8

Static

static

7

wps.exe

windows7-x64

8

wps.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/08/2024, 01:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    wps.exe

  • Size

    393KB

  • MD5

    fea57e5ff3e1d4c65d562425dffe5d9a

  • SHA1

    98d71911b88b1c04ab4f0db4fe2a01bf5403bb8a

  • SHA256

    2ebd97ca00ab57df8e6193b62d791d115ca769f3174c4696c759064ece2b05f1

  • SHA512

    059f410c01d6bed6bbefbac32233c112a42379b0dd373a10b16e1b72a0ba2efbd05a804fe46b9ec7002b2a7d454468f045f0bc00211f7fafdb573da55791794a

  • SSDEEP

    12288:TcIVVi+aIHMlDvQiu+Tf8VPaoRTyj3G248/:TsjL8D+uPaoRA/

Score
8/10
discoveryvmprotect

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 14 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wps.exe
    "C:\Users\Admin\AppData\Local\Temp\wps.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\1wsle3vxsnuup05\spower.exe
      C:\Users\Admin\AppData\Local\Temp\1wsle3vxsnuup05\spower.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1628
    • C:\Users\Admin\AppData\Local\Temp\1wsle3vxsnuup05\upssvc.exe
      C:\Users\Admin\AppData\Local\Temp\1wsle3vxsnuup05\upssvc.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:620
    • C:\ProgramData\NVIDIARV\svchost.exe
      C:\ProgramData\NVIDIARV\svchost.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      PID:804
    • C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Picturesq24n7as7\CCCef3Render.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1488
  • C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe
    "C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -Embedding
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:3068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Program Files\Microvirt\MEmuHyperv\MEmuDDU.dll
          Filesize

          355KB

          MD5

          ce98c3cbd7bfcca2755b35e77a2bceb2

          SHA1

          c12c20bb69e7858682ab6bb21ca3971880efdc07

          SHA256

          1ec46488b2db690f6f769c6cfa7e3021ee6f88096303f04be43f3f2150d8c946

          SHA512

          dfc4f4b300cd2dc0d0f19b415da157b15ce666e1927266feb7a445ffb9199620bb7fc55746239f81fd3f79133c64c8d41822ccddc625288a33a6737a062faee5

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\MEmuRT.dll
          Filesize

          3.8MB

          MD5

          56719cc92af72f56f46a5798b1430d9e

          SHA1

          497456e1b225a541058c8d7f96f2a3ef082d147c

          SHA256

          ca5e9919a5b3612a2faaab0f08f3e95db69e3d88d821a706c5d68d3f0d86d060

          SHA512

          5ca3fd7d6f86c5969949e55669c315287084633ccd42aae45cef170bce4fb05071637aaf6a9fce973cdb32003fdf02e184c8dc5aa3c327a17d3889084e07637a

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\MSVCP100.dll
          Filesize

          612KB

          MD5

          89acd78f8c6d92947b3fcc78c7493036

          SHA1

          3317bd26eda9a7a0d49dfcfe27673d96b2873c95

          SHA256

          e7675926ff8f230e3ce88de65e47ab3fd6f8d617a93e062dd9ecc4226e9d16c0

          SHA512

          08ddb16ab60ea0f531f7853dc6a66a7a2302516e1b54258f2884528a4304cb05111b073d15387702c359f00bd96156043cadddd2b230bfa8bd288b578a11225f

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\MSVCR100.dll
          Filesize

          830KB

          MD5

          34b2d5ad1c7c600f9d24660928a03382

          SHA1

          ab9621342ada12b355ea5fcd76b666193898c11b

          SHA256

          d7d6ff911503e848ffc6c0ba43382cc2e1e00b367d55ffdb883c54b688c5c28e

          SHA512

          0d86a396f81864c9ce5a57090fd45745f8c66a28f78fb469a6d62ce01c519f6a0c58d904afa99baef2f74ae4fe2308dc710c901d0394779837b82748679363fa

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dll
          Filesize

          2.6MB

          MD5

          6def652fd7e5207c374fc51534bda953

          SHA1

          ee23eab28dd67ce96e7799a31801580c824cde5f

          SHA256

          80677a75588101ca6da2a22b74c02bd5b91aba2a62d1bce20d07370a9ddf0118

          SHA512

          f3284532571bfb83a622b019040e4882866941c66a06a9c83da23a1a820b940c48ffedd1d109c799b64d6bd30775cdb9ea1067869f565116653988bd763552a8

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\libcurl.dll
          Filesize

          365KB

          MD5

          75b9bbfcf9581252474a5d1daa6e6641

          SHA1

          0fb1cfa16bf68fb13ba9816c2354af358bded167

          SHA256

          c78b0aa24630b35dfd3030626f873a89a39944ffa620b6afb42ae50eb1618f4b

          SHA512

          ed527526fd6053425fcefdfa5174d7dfa3b3b3601f33f8019b1215c9f1b85d823910f5a02c9bdd296d70058a516f9d464f42e712903144315e17f4ce7ad17561

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dll
          Filesize

          639KB

          MD5

          2b242983d5fc098515105268eb22f0b7

          SHA1

          6a660eae893f16b988b44ec943a8dacf808f467e

          SHA256

          1679808a0a410e73d7807c1facfd0ce0ee1e6270b35d29dcdf0a8977c17418ac

          SHA512

          905b01240f92124f71acd61a075887d89a83699681f585a246aa44b9d514829adec5ab827d720c7c7eccd8392698ee3f18fe9b2f7fcd81000cb0f40caa28ff06

          Download Submit

        • \Program Files\Microvirt\MEmuHyperv\mesvc.exe
          Filesize

          4.6MB

          MD5

          8c1eca3e2fe8f5fd1a0ce4b4a8cf4409

          SHA1

          8d45e044cbdcf645fe359864bc700b2568032687

          SHA256

          6ef47689ea1309e43869ec59861a677fe4e40cf03eb89386fc7d32fc516e9671

          SHA512

          4bf03b1453fa1f1bed14cb133c01c7b9b348f82da775bbbeaefc7867d348928c265b6b38623ced8b711138876365d63a669955920a5b5ae119975184297fe54f

          Download Submit

        • \ProgramData\NVIDIARV\svchost.exe
          Filesize

          124KB

          MD5

          7f789357346151237a53cd9d4368070d

          SHA1

          5f085cb38df40529aa90ca19e10ac3dc2b6b0d0f

          SHA256

          d7ea9d24b5aa4a772b70569f83d745f3fb95fc07e3f12b9b2a2104b780e01afb

          SHA512

          3ab095a16e0c35febd2cc57b80c3875b346c0dd6cc7d8bc559fd75998537ca7c07849183fa620b65e444c48b3cd900d1f37391cb8737fd0ec512837639eabaa3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\1wsle3vxsnuup05\spower.exe
          Filesize

          1.1MB

          MD5

          7d36f6333547acc3b7dc83e082f90e45

          SHA1

          dd1ebd454970b5a1791ed3fcc240fe15a5906f91

          SHA256

          7b29d4f45a4353b32ca1f5e3a79ef87e7dda5f1572100cce70aaf2fa6c9d25b9

          SHA512

          93bf4fa081eb341a87c7c43d5bb6e45fedfeee71161d782a02d07072741684320379e87b4c660a3a4b716141e25a24ffce760e4b04613dbd6df27bf001abf123

          Download Submit

        • \Users\Admin\AppData\Local\Temp\1wsle3vxsnuup05\upssvc.exe
          Filesize

          147KB

          MD5

          68a6e6dfdd09a7e7fb8d31b104d9c40c

          SHA1

          688e015ec4a38df2b24e2adadcce2c67cb513167

          SHA256

          f1ffc36d0a457653cb1f86a094e31d870155f2f090c9f38836a56c7893e73e4e

          SHA512

          633eb75c51a730ca37f4287ea26017523d70f8c4a34c656e2ee7aaa2a99ed697a679ee395d345cef6942ae28cae199513943250cae2f0dd33d52bf5241586aca

          Download Submit

        • memory/620-372-0x000000013F8D0000-0x000000013F91A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/620-376-0x000000013F8D0000-0x000000013F91A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/804-389-0x0000000000400000-0x000000000044B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/804-402-0x0000000000400000-0x000000000044B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1628-360-0x000000013F7C0000-0x000000013F9F3000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/1628-396-0x000000013F7C0000-0x000000013F9F3000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/1864-20-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-116-0x0000000005750000-0x0000000005751000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-0-0x0000000000400000-0x000000000051A000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1864-19-0x0000000006140000-0x0000000006141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-24-0x0000000006780000-0x0000000006781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-25-0x00000000043F0000-0x00000000043F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-27-0x00000000068E0000-0x00000000068E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-28-0x00000000003A0000-0x00000000003A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-31-0x0000000005940000-0x0000000005941000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-30-0x0000000006940000-0x0000000006941000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-34-0x0000000003D30000-0x0000000003D31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-33-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-38-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-39-0x0000000005F80000-0x0000000005F81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-40-0x0000000006B80000-0x0000000006B81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-41-0x0000000000360000-0x0000000000361000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-45-0x0000000006D50000-0x0000000006D51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-46-0x00000000034F0000-0x00000000034F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-47-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-44-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-82-0x0000000005580000-0x0000000005581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-81-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-93-0x0000000005500000-0x0000000005501000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-92-0x0000000004B10000-0x0000000004B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-91-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-94-0x0000000005520000-0x0000000005521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-109-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-108-0x0000000005730000-0x0000000005731000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-107-0x0000000005490000-0x0000000005491000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-106-0x0000000005580000-0x0000000005581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-117-0x00000000031E0000-0x00000000031E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-17-0x00000000059E0000-0x00000000059E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-205-0x0000000005530000-0x0000000005531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-209-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-335-0x0000000006D00000-0x0000000006D01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-334-0x0000000005530000-0x0000000005531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-18-0x00000000060F0000-0x00000000060F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-16-0x0000000005960000-0x0000000005961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-15-0x00000000058B0000-0x00000000058B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-14-0x00000000054B0000-0x00000000054B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-13-0x0000000004E80000-0x0000000004E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-12-0x0000000004930000-0x0000000004931000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-10-0x0000000003D50000-0x0000000003D51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-11-0x0000000004010000-0x0000000004011000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-9-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-8-0x0000000003510000-0x0000000003511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-359-0x0000000002EE0000-0x0000000003113000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/1864-7-0x0000000003200000-0x0000000003201000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-369-0x0000000003020000-0x000000000306A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1864-370-0x0000000003020000-0x000000000306A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1864-6-0x0000000002B90000-0x0000000002B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-4-0x0000000000350000-0x0000000000351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-377-0x0000000006D00000-0x0000000006D01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-5-0x0000000000390000-0x0000000000391000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-1-0x0000000000400000-0x000000000051A000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1864-388-0x0000000003020000-0x000000000306B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1864-387-0x0000000003020000-0x000000000306B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1864-395-0x0000000002EE0000-0x0000000003113000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/1864-2-0x0000000000400000-0x000000000051A000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1864-398-0x0000000003020000-0x000000000306A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1864-401-0x0000000000400000-0x000000000051A000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1864-3-0x0000000000400000-0x000000000051A000-memory.dmp

          Filesize

          1.1MB

          Download