be2750acd7bf2354e044d389815a4c0bc919c58f97105b11ab8a8db98ca93720 | Triage

Submit
Reports

Overview

overview

7

Static

static

7

matcha.VMPDump2.exe

windows10-ltsc 2021-x64

7

Sharing

General

Target

matcha.VMPDump2.exe
Size

14.4MB
Sample

241129-smepmswral
MD5

5aa1a6295148f5907352fb953fc32974
SHA1

822b2552db01bee512cd8d790702c3cbc347e326
SHA256

be2750acd7bf2354e044d389815a4c0bc919c58f97105b11ab8a8db98ca93720
SHA512

46a89c381dff3ce6adc88a7bc80248ac935b3c4bd4d4ae743c19f61d89bb38dff9e71e274db1edc97e5cb819b22dfae2a70c1e29bf5db28c115722fd1e49740a
SSDEEP

196608:5ygp0+URy+moy5x1VVa8/+8QouVKYBS1v/PlH0w3RcpAEtaxku2R/:5ygmD5WxuHzVSv/POwBmzcyu

Score

7^/10

microsoft discovery persistence phishing privilege_escalation vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

matcha.VMPDump2.exe

Resource

win10ltsc2021-20241023-en

microsoft discovery persistence phishing privilege_escalation vmprotect

windows10-ltsc 2021-x64

33 signatures

150 seconds

Malware Config

Targets

- Target
  
  matcha.VMPDump2.exe
- Size
  
  14.4MB
- MD5
  
  5aa1a6295148f5907352fb953fc32974
- SHA1
  
  822b2552db01bee512cd8d790702c3cbc347e326
- SHA256
  
  be2750acd7bf2354e044d389815a4c0bc919c58f97105b11ab8a8db98ca93720
- SHA512
  
  46a89c381dff3ce6adc88a7bc80248ac935b3c4bd4d4ae743c19f61d89bb38dff9e71e274db1edc97e5cb819b22dfae2a70c1e29bf5db28c115722fd1e49740a
- SSDEEP
  
  196608:5ygp0+URy+moy5x1VVa8/+8QouVKYBS1v/PlH0w3RcpAEtaxku2R/:5ygmD5WxuHzVSv/POwBmzcyu
Score

7^/10

microsoft discovery persistence phishing privilege_escalation vmprotect
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops desktop.ini file(s)
- Detected potential entity reuse from brand MICROSOFT.
  phishing microsoft
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

microsoftdiscoverypersistencephishingprivilege_escalationvmprotect

© 2018-2025

Terms | Privacy