Overview

overview

10

Static

static

10

18747c2191...34.exe

windows7-x64

9

18747c2191...34.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe

  • Size

    526KB

  • MD5

    3b7c973bca4c7034c009b9cd2b0140cd

  • SHA1

    2c5de140bf2280e32fb5597d24146d73568121eb

  • SHA256

    18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334

  • SHA512

    441b2439e63b3a31f2e806f0e924977ae4119f8eb48de25367f61f74f5d03b8a0c8c2173899d6e12bbab0ace07720323eae9fb51ad469b5535f5d5d824cf2a98

  • SSDEEP

    6144:lrhCmSiJnFtXJch8bZ0iDd+gFuC88bYVWTb4gU+b2HV70/2wPe1ep1B+wsiBzVXv:lYmSczXJWSMg188MMTWSrB+wbzVXZ7o

Score
9/10
vmprotect

Malware Config

Signatures

  • Detects executables packed with VMProtect. 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe
    "C:\Users\Admin\AppData\Local\Temp\18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fJy4Hz8Y4\Driver_Setup.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\fJy4Hz8Y4\devcon.exe
        devcon install DrvInE.inf "{FD59161E-D5D4-4299-910F-511094CF4E96}\HID_DEVICE"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies system certificate store
        PID:2860
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{10ce696f-ed0f-e948-8769-4fce3d167d61}\drvine.inf" "9" "4e027734f" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\users\admin\appdata\local\temp\fjy4hz8y4"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{09c91a97-efc4-724a-b331-c7613f5034b1} Global\{5b39b767-b498-4146-8cc2-0b6ea91d9606} C:\Windows\System32\DriverStore\Temp\{80c1ab64-7dcf-a24d-ba7d-4b275772c37d}\drvine.inf C:\Windows\System32\DriverStore\Temp\{80c1ab64-7dcf-a24d-ba7d-4b275772c37d}\DrvInE.cat
        3⤵
          PID:2128

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fJy4Hz8Y4\Driver_Setup.bat
      Filesize

      79B

      MD5

      b05e53e28d3e66362cec2915710d7a55

      SHA1

      b6e8010ef364ea05dacca461a0481244e84c8bcf

      SHA256

      644975810d9c8ba1dc42c1cd821a3b140be0ffaa8ffdc4d927c7428349643755

      SHA512

      5f0966fbf3bfa32d985b2c72dcddc3f59f20a0fb6c023f2688c253d0b6ee79bae0fe1d55dba371c9cbe06663f5b9c0f53aabfaf9717fe7f1cf8e763bf2044f3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\fJy4Hz8Y4\DrvInE.inf
      Filesize

      3KB

      MD5

      607506fffa21830f75c18ff69a112246

      SHA1

      26755161758b031b7e952c24fdd929b10120fd28

      SHA256

      b69c7a5e17eb9a76d5f9d2818d4db889631768949ee35f023e3ed6c8b2aa5fae

      SHA512

      dc452bf226c4721b4eb069a66bf7f20bdb725bceb7ae113f429915d233d04f67e6cdaa9caf49f69fbe763e0a1cc7c8ceeffa3ce6edfe2a3da23111f4dca596da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\fJy4Hz8Y4\devcon.exe
      Filesize

      87KB

      MD5

      41ba1bbdd9284e49701ee94a3f446c33

      SHA1

      6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

      SHA256

      c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

      SHA512

      dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

      Download Submit
    • \??\c:\users\admin\appdata\local\temp\FJY4HZ~1\DrvInE.sys
      Filesize

      54KB

      MD5

      c415ee7d6a509d98636c9fa5faae5a60

      SHA1

      ab05530e623bd1780ccb1623138bde77655f19c9

      SHA256

      015af31cd5b19dc780cf36da0d21324d81bf46fdc8c73a850597c777f5f44857

      SHA512

      848cbc5ead4e2513d7e925a5d6739ccd2464eb53d04e1c0c12d12e4c59a8bd7c731c50d34756d922bb1bb1517f3528e7ba3b3b65fadbfb72cc584521e9631136

      Download Submit
    • \??\c:\users\admin\appdata\local\temp\fjy4hz8y4\DrvInE.cat
      Filesize

      8KB

      MD5

      fba3d6050022c44b4d2d6dd81b62f356

      SHA1

      c5484dbb858ce2980f401560caf50b6f9a14b594

      SHA256

      ab01bd082889fc7688876b72ecd4e04f31d1d92b786497aa24b54388da12b73e

      SHA512

      42b4694995a22c38070b9035d1e92774ddf90626b42ce0b79b5d9f08397cef0f5302ea6dc26acadafa483be09a22f92e09ee8e68d5b49e38c9b4ee91129ced99

      Download Submit