ee67215d30e8b08d54518f88ecdb0fdbb7f2791960c0021f799d122c745608e7

Resubmissions

09-10-2024 19:31

241009-x8h2eawgpc 10

09-10-2024 19:27

241009-x6cfvawgjc 10

Analysis

max time kernel
132s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VBR.exe
Size

7.6MB
MD5

81711a07e09960fb3cff42a395a0d6da
SHA1

a0ee96f364149e8b49758773106916accd212f83
SHA256

ee67215d30e8b08d54518f88ecdb0fdbb7f2791960c0021f799d122c745608e7
SHA512

f68faef3d59878c52011c77ad7e66c5e7bae5ce3c435635bacd78c1f8efea682fec688f2676d55130e268dbc3a4261c518029dbae36527e356507d3636869cc1
SSDEEP

196608:Hyd0cDeQLjv+bhqNVoBKUh8mz4Iv9Pfu1D7c:9ieAL+9qz8/b4INuRc

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2500	VBR.exe
2460	VBR.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019275-22.dat	upx
behavioral1/memory/2460-70-0x000007FEF4CC0000-0x000007FEF52A9000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2500	1708	VBR.exe	31
PID 1708 wrote to memory of 2500	1708	VBR.exe	31
PID 1708 wrote to memory of 2500	1708	VBR.exe	31
PID 532 wrote to memory of 2460	532	VBR.exe	35
PID 532 wrote to memory of 2460	532	VBR.exe	35
PID 532 wrote to memory of 2460	532	VBR.exe	35

C:\Users\Admin\AppData\Local\Temp\VBR.exe
"C:\Users\Admin\AppData\Local\Temp\VBR.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\VBR.exe
  "C:\Users\Admin\AppData\Local\Temp\VBR.exe"
  2⤵
  - Loads dropped DLL
  PID:2500

C:\Users\Admin\AppData\Local\Temp\VBR.exe
"C:\Users\Admin\AppData\Local\Temp\VBR.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\VBR.exe
  "C:\Users\Admin\AppData\Local\Temp\VBR.exe"
  2⤵
  - Loads dropped DLL
  PID:2460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17082\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
memory/2460-70-0x000007FEF4CC0000-0x000007FEF52A9000-memory.dmp

Filesize
5.9MB

Download
memory/2500-24-0x000007FEF56A0000-0x000007FEF5C89000-memory.dmp

Filesize
5.9MB

Download