Overview

overview

7

Static

static

3

VANGUARD BYPASS.exe

windows7-x64

7

VANGUARD BYPASS.exe

windows10-2004-x64

7

slayts.1337

windows7-x64

3

slayts.1337

windows10-2004-x64

3

test.txt

windows7-x64

1

test.txt

windows10-2004-x64

1

Resubmissions

03-09-2024 09:31

240903-lharkatamj 7

03-09-2024 09:22

240903-lbyj2stgpf 7

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VANGUARD BYPASS.exe

  • Size

    2.5MB

  • MD5

    2473c143b9591080093561cd3fc42955

  • SHA1

    3a65083c411edba6b7a5dcdb93a2bebcc410e95b

  • SHA256

    89ee1cbd0ef4390b420dea55744487665d4bf7dcfa2c2597db2984dfad5dff1a

  • SHA512

    ae599014de20c34d0b75d938f743dc443b37bbd5095ec4f24548f9cff5a08f48a7959eae0dea070cf5d43d6916a4affe8ff1d825f5d8ab2907f00a9df5a5c334

  • SSDEEP

    49152:pXkQq9LDj26Mx1zrHvxx5qaXqQ7hsaNsRBt87lOpSJnQxnDNZGZ8VpDTU2:pXkQqxD8NrHxhXqosaNO8JOY+6OVlU

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VANGUARD BYPASS.exe
    "C:\Users\Admin\AppData\Local\Temp\VANGUARD BYPASS.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\VANGUARD BYPASS.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\VANGUARD BYPASS.exe" MD5
        3⤵
          PID:2964
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:672
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:1876
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "test.txt" MD5 | find /i /v "md5" | find /i /v "certutil"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "test.txt" MD5
              3⤵
                PID:2740
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                3⤵
                  PID:3644
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  3⤵
                    PID:4384

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/4720-0-0x00007FF6AE500000-0x00007FF6AEBCD000-memory.dmp

                Filesize

                6.8MB

                Download

              • memory/4720-1-0x00007FF898C70000-0x00007FF898C72000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4720-5-0x00007FF6AE500000-0x00007FF6AEBCD000-memory.dmp

                Filesize

                6.8MB

                Download