aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe
Size

12.2MB
MD5

748f4433ea04f43c0b55dc6a6e48a381
SHA1

14effd396c0af452bcde1af07b8df777e44ed38d
SHA256

aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a
SHA512

2dd339b0e0d5cadf42e1d3388b4d97777b8e6caef3e4adfc4f3fee68ce818f59dc2edf8a5ad4a1d0e6ad693e579584d566220be56297a44a03d0dec8aa28c710
SSDEEP

393216:ORMqb4FolMEDBhu+Zu8euq+UD+/2fJVGdgD9Ho:VO4FqD+F9z+C+/2RRHo

Score

7^/10

discovery vmprotect

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
652	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe
652	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/652-0-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-2-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-4-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-41-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-42-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-43-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-94-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-97-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-98-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-99-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-100-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect
behavioral2/memory/652-102-0x0000000000400000-0x0000000002102000-memory.dmp	vmprotect

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
652	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe
652	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
652	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe
652	aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe

C:\Users\Admin\AppData\Local\Temp\aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe
"C:\Users\Admin\AppData\Local\Temp\aa5ae0c90edeee8a574a7b6e01f62a5e0f135a58203a4af5d3bcbff4ee9b3d8a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zcs\bin\HPSocket4C_2.dll

Filesize
2.8MB

MD5
1cf6b966365f29d060154fa5eb5c7f72

SHA1
bb110d37a96878c8c024a450d0b09cc28ef03cf0

SHA256
0e11b955048104466ed8d86db346628c1b30118ae116fa0428b0c34f486d8cf3

SHA512
6bc266813f4518f1b5e958c047972072d6d43996add9587b3c3b7ac64e2406784a2240cc9b815f29208b9b3ef77e0b647a1201ef39aab10eb3bec297294d2dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcs\bin\sqlite3_2.dll

Filesize
1.5MB

MD5
8b4fe60e7222c8713214975e55e5b97f

SHA1
a6d77c4bf78ff11159efdc3f81c02fd708d6a890

SHA256
a52ee82837cf8e32651cf51f04f541bb6c207e28f54c34c6f53fc62a72ae7477

SHA512
cecde7e1d4bc385e4a693ee48068385a8d744cee0ba2301b783dc93841cc91f53d164a8f6236c7bb34e712dc3913eb1d06a6c744421073f8293dc23ce13a5611

Download Submit
memory/652-43-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-1-0x0000000000401000-0x00000000006D4000-memory.dmp

Filesize
2.8MB

Download
memory/652-41-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-11-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/652-2-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-42-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-0-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-4-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-82-0x0000000009500000-0x0000000009519000-memory.dmp

Filesize
100KB

Download
memory/652-94-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-97-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-98-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-99-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-100-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download
memory/652-102-0x0000000000400000-0x0000000002102000-memory.dmp

Filesize
29.0MB

Download