Overview

overview

7

Static

static

7

bbd3f64b75...1a.exe

windows7-x64

7

bbd3f64b75...1a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd3f64b75d716dbeb61a7510e90a4d4249e33dd6ec3cf8ce7588a8b89eba71a.exe

  • Size

    5.6MB

  • MD5

    9c3e3e209ceb90dfd938d2601ce97f7d

  • SHA1

    3d893e8b945857d157a1012c0849b2e085e63fe7

  • SHA256

    bbd3f64b75d716dbeb61a7510e90a4d4249e33dd6ec3cf8ce7588a8b89eba71a

  • SHA512

    b45ac76adeb70132ce8df800645131ee7dd3c43b83fa72557d7d32ccfffb7c97e0800d42743449f024b6f6431ee2fbcb02c974dc9ee77111c9cdea7dec21cd15

  • SSDEEP

    98304:ExeeHncufaoTlD8AOrXQ9UR8pzePsAOmUevOshs0EOQC5oqYITMzdhHHQ82a:ExHffaoRD8AKQSe+sGUeFnEOQEofz/QQ

Score
7/10
discoverypersistencevmprotect

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 11 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbd3f64b75d716dbeb61a7510e90a4d4249e33dd6ec3cf8ce7588a8b89eba71a.exe
    "C:\Users\Admin\AppData\Local\Temp\bbd3f64b75d716dbeb61a7510e90a4d4249e33dd6ec3cf8ce7588a8b89eba71a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    b93e4dff6366cad398fa944fe30bdc48

    SHA1

    156056d76954122703fd8bef8624c4513afc0a56

    SHA256

    26d2948e0475bbfeb8fd453cd5c009401a79580f07f04e0b268a867f790672ee

    SHA512

    2bdfe257925bd5f56b8e60d971424fc50f38ab90f2adecf16bc58790765c9997b3c9e8e7224fe0ef056095e721bcd5c62e1c2d7aa1c4ed537ae63acee1c4e174

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    65afa2a1ca3e9c97223dd6a3d9c66ca5

    SHA1

    39ae62e0d188b2118fd63f2c4fc7e38b96375229

    SHA256

    8a2789f2635d582845b87aef13b766457ec2d4fcd63473ef802d12e4ee952681

    SHA512

    394aa8cc13371413c1b5778d7c38c2e78e584129683c5fc0e428260d033ff5940bf8412329615f02541f2bd9216ed1ad258c42748ccaeb74b8a1e4b8991651b4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    5.6MB

    MD5

    68d3b3155d46172e1154c0ba77815f98

    SHA1

    8e9e81fe9dac81cb9a76a8972f834a836d2ce241

    SHA256

    44e6aec4c48dc286b3c2a49c4bb9e53e63aea771d317635d7c2bab69dea4f8a2

    SHA512

    1db7539eea35f23d3d7dc750e92e0094b54fd991f7a06c507d8cca24be7f0095da336adf1365c6fd0dcc01fdaab32d40ef101d2299313e98fde1a8f764fa5712

    Download Submit

  • memory/2556-7-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-35-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-32-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-30-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-29-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-27-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-24-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-22-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-19-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-14-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-12-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-9-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-34-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-43-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-5-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-44-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-36-0x0000000000551000-0x0000000000895000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2556-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-56-0x0000000000551000-0x0000000000895000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2556-57-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-60-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-63-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-67-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-70-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-73-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2556-76-0x0000000000400000-0x0000000000E2A000-memory.dmp

    Filesize

    10.2MB

    Download