7b80b47bf8544dc821175720adc89ed99ffadbcd4252c132e688f67c3ad11e2a

Analysis

max time kernel
92s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VMProtect-Ultimate--main/VMProtect Ultimate/VMProtect Ultimate x64/VMProtect_Ext64.dll
Size

226KB
MD5

497eb359ef385fcfc803362543839c18
SHA1

22fb486074cfc4dd2ee8d84b337168b92dc254f6
SHA256

fa9849a6901be008ab8aa17b2f4b234a1d0ee9fd202fe075ec7b178e3b66ecff
SHA512

9568334e7d0bef147764f47929b4c6c9d5f13690c209c1c7b775cd5490a60b613d701d3804322cb4ead36ec4b733aaecdece8dd5df7f2b4ac2535db0bab0fcff
SSDEEP

3072:SXep6V+Hiwesaje/gwINrc1yUSh6LFGCm8EMq:JVNaq4bkCsLgC5q

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6416B534-5A38-47BA-A8DB-4253F49DC7D3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\VMProtect	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\VMProtect\ = "{6416B534-5A38-47BA-A8DB-4253F49DC7D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6416B534-5A38-47BA-A8DB-4253F49DC7D3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6416B534-5A38-47BA-A8DB-4253F49DC7D3}\ = "VMProtect Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6416B534-5A38-47BA-A8DB-4253F49DC7D3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6416B534-5A38-47BA-A8DB-4253F49DC7D3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VMProtect-Ultimate--main\\VMProtect Ultimate\\VMProtect Ultimate x64\\VMProtect_Ext64.dll"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\VMProtect_Ext64.dll"
1⤵
- Modifies registry class
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads