c896123aa5ab5f9d99e90e14b6ca824a8ad1a436eb6daa17078a023c3b6fcd71

Analysis

max time kernel
92s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

十彩0909正式版/十彩DEE处理器/win.exe
Size

620KB
MD5

333305e01fa304de76be7d2cce45a189
SHA1

598e4ec8c55aa13b03944c365d87d426137a0534
SHA256

40e5d7f05a82640005fa257c470c2bf0f5063d911c878e536ae09c9f3473fc67
SHA512

ec3366eb6a42d039dfcd50bfc891f4793b548b377b1937114a5ba3d67bc694c19754739a5e9c5f3bf6629ae1a85e30fb679b45942ab183556f73d9b7fb7f7daf
SSDEEP

12288:Pch2doxlPGFrVN/xYYK21QV4Ps39oy6+F0zJFa7N0Pld+BLBp4N9rUxvyg9/:PBoAFBN/Gl22mLHT67ePE47Qvn9

Score

7^/10

discovery vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral6/memory/4804-0-0x0000000000400000-0x0000000000560000-memory.dmp	vmprotect
behavioral6/memory/4804-2-0x0000000000400000-0x0000000000560000-memory.dmp	vmprotect
behavioral6/memory/4804-1675-0x0000000000400000-0x0000000000560000-memory.dmp	vmprotect

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3672	4804	WerFault.exe	81
64	4804	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe

C:\Users\Admin\AppData\Local\Temp\十彩0909正式版\十彩DEE处理器\win.exe
"C:\Users\Admin\AppData\Local\Temp\十彩0909正式版\十彩DEE处理器\win.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 392
  2⤵
  - Program crash
  PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 416
  2⤵
  - Program crash
  PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 4804
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4804 -ip 4804
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B9DC.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/4804-0-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4804-1-0x0000000000401000-0x0000000000426000-memory.dmp

Filesize
148KB

Download
memory/4804-2-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4804-1675-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4804-1676-0x0000000075CB0000-0x0000000075D44000-memory.dmp

Filesize
592KB

Download