1ad3cb82fa8909346107c1731bc1a7998967db7d6bd889d3b04cdfa6a97cf4ce

Sharing

Copy URL

Twitter E-mail

General

Target

9uSgxgRm.zip
Size

52.9MB
Sample

240927-hhz5nszelk
MD5

d1a0fdb9d7ce8c8f5625d6234bd421d5
SHA1

795eff712631ad5d6795212550e649d590805124
SHA256

1ad3cb82fa8909346107c1731bc1a7998967db7d6bd889d3b04cdfa6a97cf4ce
SHA512

8ab6f0406aec0959d1410ec5cdf98e1aae7111d5c64ccb9ec55fece2e2d6dbef55c6dce2966b721961a6f2bad6516de48a4b5b08a3b28efb1887f5213f62e954
SSDEEP

786432:1qhp4lrFnKRqYFtAEIPDNlxGw/owf1Peqkb7pNZQ3fQm1X4sid1NEkRpR74CJ5vP:1yoYqYf9svWbtQ3fQGkQk714q56C

Score

7^/10

Malware Config

Targets

- Target
  
  VMProtect 3.8.1/Lib/Linux/libVMProtectSDK32.so
- Size
  
  25KB
- MD5
  
  0192773c6965cb0b61ac968f38c5361c
- SHA1
  
  201020d5086d147aaa896cc774130f689a00a541
- SHA256
  
  e864f78e7780570c425cf1bcf7e8e5360ff7fe034875a2c93bce85187a56e324
- SHA512
  
  62dbbb798659469cbcfe444b5abe964fb8b5de1809c88f7d0d2a096c7a65ecc80de5ad96f4856071fd1504b33a9b5be1e6b0be2d775844b3582a3acd5ce52a98
- SSDEEP
  
  384:Sc6LggOxAHXUtyQv5YLNf37oBz3r37FDSuyU12ZNU/LglzWYO9F6xuVlXOgMr/7k:Sc6LfOx/N5YyyU6UFQx2IgMr/7EhZXx
Score

1^/10
behavioral1
- Target
  
  VMProtect 3.8.1/Lib/Linux/libVMProtectSDK64.so
- Size
  
  31KB
- MD5
  
  aff60628c99a1ed7ce30acdaf0ad9f98
- SHA1
  
  39d03c53d55d7ccf297dc1b39bd896e3a7487011
- SHA256
  
  28d72c59cefe78018e4be492d1f75a024f19c754671ce2e024e7c64caa53a565
- SHA512
  
  e6e2fd4eb7c79e46b78242299f002103e170b19948aaec3215e543cd78cda395a711f3eac7df4911663b4d3d6e99ecea0f11bf36d0581dfbdc636368d4486953
- SSDEEP
  
  768:q6he00JUA6NaqXPk8/6LOM+Bqqqqqcwc5h8D+HvKN:Y0tX/6LOMS8ci
Score

1^/10
behavioral2
- Target
  
  VMProtect 3.8.1/Lib/OSX/libVMProtectSDK.dylib
- Size
  
  49KB
- MD5
  
  9e8b1631666d104c3174973c7ce1fd69
- SHA1
  
  2e4d050e032a06a97b7cc9f9f377dde4903813f1
- SHA256
  
  70aaff7866b55a7f6a238f20d26c375aad14b5286fae2b923e91398847d25f68
- SHA512
  
  9742092c90c3726acedff5347ffd055bc33bbdd046b2ef06a4519eb6d5031bcc59cb31cea810ff4629f1571546cb7ff681a98fb4541d3f12b0a79b45cb177c2a
- SSDEEP
  
  768:JYsIlAGwZI5l19U1I+8Qi0RWOdQL8r+3INQ0VldkFYuMAykBGSZtQ1:+sEwi0+WR
Score

1^/10
behavioral3
- Target
  
  VMProtect 3.8.1/Lib/Windows/Net/VMProtect.SDK.dll
- Size
  
  10KB
- MD5
  
  386a8f34e2f7c2f4831a28c89f811eb4
- SHA1
  
  0cfd393740b370e268d2cfa16a4148999132bc05
- SHA256
  
  cf23df5bcff3a3662b913d54181cf1d931244297516a2d6583db4016dab9eb27
- SHA512
  
  3fb12912277a5f3eef49f68dd75bd13ca2e13f472f6554d2b3475fa8d7d21db0ff43afee1888b1e58d365502d96a92ddd65f9a60819213c60e62e83ad5cebf90
- SSDEEP
  
  96:ejKLWlYY8hV5ln3KXkhk6EIIIII/Kg5y0bNVOz7RpSxr9+PXCr3c7adOHKMHl3QF:hY8TTvOIIIII/J0z/Sxrt3MHlA
Score

1^/10
behavioral4 behavioral5
- Target
  
  VMProtect 3.8.1/Lib/Windows/VMProtectDDK32.sys
- Size
  
  3KB
- MD5
  
  597490194f19e347b3e9081b12fd6bd0
- SHA1
  
  5676c30bee279afc02daa06287bd2b105fe110d5
- SHA256
  
  85c8308a65d85a4fe9de7abdbf6102b973ad82b605df12fa9053b463bfd1ace7
- SHA512
  
  5575d2f493c0923e9f5ad887e4d45d6f073e9993d8c519384d6623ae0be3525e6f8cd81589eb07e29fc6b958e66cac8f0372cf143c61b0d1786c43cc03be6cff
Score

3^/10

discovery
behavioral6 behavioral7
- Target
  
  VMProtect 3.8.1/Lib/Windows/VMProtectDDK64.sys
- Size
  
  4KB
- MD5
  
  5b8dbc31146a4ce242db57d8f8d1d8d1
- SHA1
  
  bf1715bea6710a19f3ca3c4832fc95df427e66ae
- SHA256
  
  533ae746fc8c721b58c09d8c7dbd3279cd461e039eb3d6fa7c3574670b8bb716
- SHA512
  
  429a8ff9eee4579d69c6ea2f63d65adbe1d8eb862e69a15f683fb5c38956c66a4a22ebec14d34748aac8010d7473af4eb83df4d0467373a91c89c9f4154d7c74
Score

1^/10
behavioral8 behavioral9
- Target
  
  VMProtect 3.8.1/Lib/Windows/VMProtectSDK32.dll
- Size
  
  98KB
- MD5
  
  982b848c338b0501b45e10cfd3ea0031
- SHA1
  
  1072069c3ad42ad9b5d57d392d7a06c6fca99661
- SHA256
  
  cf61053ece6ee4c7f0bcb88193ffd805b19cc6dff592dd60499b3d97684d73eb
- SHA512
  
  894c36318175144a6874d5028e9fc241517cddb5c04743c9757107c1a5eec55012a7a8ed13bbfb5170e8cae904b06785ad0f9eba8f1795a5e2ff366da34b059f
- SSDEEP
  
  1536:pT33kLmdI52QC2mCYKw2cr2RhXbZ9qu/nDw2a1+YRroJQusWMIcdw30YXowGF:bhQC2mCYK3RhrZ9dPk2Q9yMJw30YRG
Score

3^/10

discovery
behavioral10 behavioral11
- Target
  
  VMProtect 3.8.1/Lib/Windows/VMProtectSDK64.dll
- Size
  
  116KB
- MD5
  
  147fe4c34c7eaeaa4cb1fc0c253f79ed
- SHA1
  
  c5ad57e2ad6bdfd5132c36c3d7f21e90b1f119b0
- SHA256
  
  5c08aebd5793fc7c531e04133abef6362636254b27ff1f84ab14a48da34d5f71
- SHA512
  
  fdf36950f71ae17a27db365fc37b101a2aeeaba32982655a711dabfa4cc9f1bdc37cb73ddbee32759f18bdc90677bedb191a72dd7c0edecc4e240c604f0743ab
- SSDEEP
  
  3072:FmcqYHq7Aiytzg2ScpvgJcG5sqYX6UOHNlBS:Q0Hq7AiyegZgJZSXmtH
Score

1^/10
behavioral12 behavioral13
- Target
  
  VMProtect 3.8.1/VMProtect.exe
- Size
  
  31.0MB
- MD5
  
  458b66803268730581f3465adb827f25
- SHA1
  
  7c53722819e44f870d742f68b8225ca2d6c4daca
- SHA256
  
  83dd117888092caf1b940c62fc6a8164b73deaed6d090c015ecac7878afbbbab
- SHA512
  
  65a21e476c6c8def889df024863cb170d3d33e899d905344cd392226d64920636f0ecc63168b32cb745efe097bc4c8a33669a04ecb42a578b19038cc85eb7905
- SSDEEP
  
  786432:PZVqD0sPPmguJBvV7eiPw4fx19FSP1lTij:Tq0sH7EN5M1lQ
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral14 behavioral15
- Target
  
  VMProtect 3.8.1/VMProtect_Con.exe
- Size
  
  23.3MB
- MD5
  
  3ede92df602a653e15207211d06337df
- SHA1
  
  14e53cb72b001cafb81baea0c9b70d3aec155b2e
- SHA256
  
  42f939debd982b6b4a31d8dc0deeaaae049ae77b14b9cc544983349fc4f8fd13
- SHA512
  
  a3fd99119e6d3c18a04e9e42f948a52be8a24618b9f1f3d9f3d92415fc720994252ef1d1a738724d6097aafebcc5265916d334a6fc9a9127ae380d54b8a0ee39
- SSDEEP
  
  393216:ppjwKLDShLKiM4SWpv4gOs0KgFlvUnrAR39BYZkh6EfBolbb10:plhDOLzv4S05FNgcR39B8EfBolu
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral16 behavioral17
- Target
  
  VMProtect 3.8.1/VMProtect_Ext32.dll
- Size
  
  203KB
- MD5
  
  57d5dc6a6c75227f65cd7f15586821cd
- SHA1
  
  0a743d269e52c834c9f0b2b588711a4815bc62dd
- SHA256
  
  edd6045ced7a47944340fcd697ce18a39f6e110757d030a63955c7e96984d701
- SHA512
  
  06b7f9506378829c47ab35574f4313af17f49f38c6517fdf82652a9fe76433ca1c11f50f9cf44d8c0de898d2b7db65bda1171cea8d1fa484c102581362974a0d
- SSDEEP
  
  1536:k8nI73PQ/7Iik4j6cI5roCqo7ms0amw4dBQ3kBwsW9cdW1nh/XbbTgjkXzeXlttO:E7/fcI9oCqk1L8BqkrW1h/X38EMqF
Score

3^/10

discovery
behavioral18 behavioral19
- Target
  
  VMProtect 3.8.1/VMProtect_Ext64.dll
- Size
  
  226KB
- MD5
  
  03f91a9f0ae86664d28c1c2267ec429b
- SHA1
  
  e4c0847c62a1ee492ba48671b66b280579be3bae
- SHA256
  
  06c5896b3c704061847140d439553f6d9c2f8f8bf2c74f429a668d95574097ad
- SHA512
  
  ddc03634ba18cb70240b6d40cc261684340048aec9acee3d1cff05ac2909bbd7cd0bfed4fb08eb4e8494d15069850b6bc260241918010c1104cc8b16f3361a3e
- SSDEEP
  
  3072:OXep6V+Hiwesaje/gwINrc1yUyhxQLFGCm8EMq:FVNaq4bkC3QLgC5q
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral20 behavioral21
- Target
  
  VMProtect 3.8.1/unins000.exe
- Size
  
  1.1MB
- MD5
  
  13f5ab9ebe7e82d87673404710264b1c
- SHA1
  
  9110343d068d938e0087650ca4079878c5ce29ae
- SHA256
  
  652a12fa542942bceb114fb8d0a57b4f717219fe2a64074d5cf8552a22237254
- SHA512
  
  cc3e30a4fce70c42025fcac00dc1aab9cb1db29374dee6dcd72a522fdb372a1306d64d264e7f43dc427296b3db15f7339da1b3a3bd8acca15104ea2532482ee1
- SSDEEP
  
  24576:cKbqslNoiGO+h84C6f8HSCNFfoJMpNOErZTOzu5xTxytz:zwY6fULNntNXc
Score

7^/10

discovery
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral22 behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Event Triggered Execution: Component Object Model Hijacking

Deletes itself

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23