dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe
Size

4.2MB
MD5

ba611d08458c35c06eb92877ed0c63cd
SHA1

c06431628be2091c24e7a6dc08952fec66e6e204
SHA256

dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3
SHA512

028a94429d791cec47c9c31d381d4d88326045d0a3bb93fc17225b749ed9e0f8dd7b0efae8d847ca51c0dfc5e24a0c5518d97e8e124ad8555a34a1232dbb77a8
SSDEEP

98304:qJQAn5XadZI+4OkOZc59YSSv2ksctxT5RcL9P8e4jtigwvfvSt:+QAcW+BAuSdksWxTLcVeiJHQ

Score

9^/10

vmprotect

Malware Config

Signatures

Detects executables packed with VMProtect. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3996-8-0x0000000000400000-0x0000000000AE3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/3996-11-0x0000000000400000-0x0000000000AE3000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 3 IoCs

Processes:

adb.exeadb.exeadb.exe

pid process

2016 adb.exe
3852 adb.exe
4400 adb.exe
Loads dropped DLL 6 IoCs

Processes:

adb.exeadb.exeadb.exe

pid process

2016 adb.exe
2016 adb.exe
3852 adb.exe
3852 adb.exe
4400 adb.exe
4400 adb.exe
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

behavioral2/memory/3996-8-0x0000000000400000-0x0000000000AE3000-memory.dmp vmprotect
behavioral2/memory/3996-11-0x0000000000400000-0x0000000000AE3000-memory.dmp vmprotect
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

pid process

3996 dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

pid	process
2016	adb.exe
3852	adb.exe
4400	adb.exe

pid	process
2016	adb.exe
2016	adb.exe
3852	adb.exe
3852	adb.exe
4400	adb.exe
4400	adb.exe

resource	yara_rule
behavioral2/memory/3996-8-0x0000000000400000-0x0000000000AE3000-memory.dmp	vmprotect
behavioral2/memory/3996-11-0x0000000000400000-0x0000000000AE3000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

pid	process
3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe
3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe
3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe
3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

description pid process

Token: SeDebugPrivilege 3996 dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

description	pid	process
Token: SeDebugPrivilege	3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.execmd.exeadb.exe

description	pid	process	target process
PID 3996 wrote to memory of 2312	3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe	cmd.exe
PID 3996 wrote to memory of 2312	3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe	cmd.exe
PID 3996 wrote to memory of 2312	3996	dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe	cmd.exe
PID 2312 wrote to memory of 2016	2312	cmd.exe	adb.exe
PID 2312 wrote to memory of 2016	2312	cmd.exe	adb.exe
PID 2312 wrote to memory of 2016	2312	cmd.exe	adb.exe
PID 2312 wrote to memory of 3852	2312	cmd.exe	adb.exe
PID 2312 wrote to memory of 3852	2312	cmd.exe	adb.exe
PID 2312 wrote to memory of 3852	2312	cmd.exe	adb.exe
PID 3852 wrote to memory of 4400	3852	adb.exe	adb.exe
PID 3852 wrote to memory of 4400	3852	adb.exe	adb.exe
PID 3852 wrote to memory of 4400	3852	adb.exe	adb.exe

C:\Users\Admin\AppData\Local\Temp\dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe
"C:\Users\Admin\AppData\Local\Temp\dfa0b62eafecc8e21670c6f4a56439a900a6dc89fe81fbfeac3193489a92bdf3.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\cmd.exe
"cmd" /K prompt $g
2⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\adb.exe
adb kill-server
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\adb.exe
adb start-server
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\adb.exe
adb -L tcp:5037 fork-server server --reply-fd 568
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adb.exe
Filesize
5.6MB

MD5
1eb885c863d208e330e3a961849322eb

SHA1
cf909df4d928aa9053e2817fa10232880b56ca55

SHA256
e1657ca239bcf53f60dd622a8476d51b8df3c2a3169f7b6082142942560627ed

SHA512
d5a72e2aa0170d3fa41dd968a5f5e70a568c53d5449fbd0788ad016da0b6e1f1caa2c45cfdd7fdcf0a23205150e6578d25ed215b313de8dcbdae1b3a2e67bce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\platform-tools\AdbWinApi.dll
Filesize
105KB

MD5
819e3e651ac7f490eb1500e0df246c3e

SHA1
e4948268e2b3974d1728fe474195df011c380f45

SHA256
fd96c88a315ba271018c0b54e7d696aba16d6bac132d9afc49b60cb14e4a822c

SHA512
912da4212dc22adcb878c8b34ab7970a15878d7398643e8bbd3f6682d85fa5364f52a0e471d0c3299ad30fece47fba29a75ed5c83529fec3931343e34eba7fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\platform-tools\AdbWinUsbApi.dll
Filesize
71KB

MD5
414d7ff85d3707752cb5df159e81273b

SHA1
5c944ccae169d2b52d5442d0169fe6f2be7611a1

SHA256
25bb8b33eeb702b340defcf078eb249420c885b8f4fedfc3fc56ada66bcdbc14

SHA512
af2039ec528597adccf1268185d5e1686d2a276102197c3d028abf9167bc10d1d1b22b862f93bd880cf75ae2c2f6c5d0c862384f8be74008d468e69e21a019fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\platform-tools\fastboot.exe
Filesize
1.7MB

MD5
07e74ee8a79ce693b3925737fee89629

SHA1
2be35f19051d2f477ef568241258c706f366bfef

SHA256
9b9281147b9a79ef7e28b9d6856771933fc08debb33861ce298b3eb9c21715b9

SHA512
2011d338c8e8be770a81252570321a0da4291fbb78877ea1d59f0609ca12cbd6d31a18accabe57348dd42597e27cc3e310f547c9bdad251028a51cd88cc26639

Download Submit
C:\Users\Admin\AppData\Local\Temp\platform-tools\libwinpthread-1.dll
Filesize
236KB

MD5
237d93ed448e366d6d1ebc8df5a0d443

SHA1
9cd984b21dcaf1f167cf72c81a6f2196e6b578ee

SHA256
5610ca6415100dac76d2d74b3253b750c71e0c829eba47e4df9ceca30b37f254

SHA512
e9fbd346966722cbd8a646f233e38fd32f9013d225ce2ffc9a5c18be0642f80f2b221c4bba02f70fbd9fb5c84351f936f0c5e1cd438296f0a382870e4be87019

Download Submit
memory/3996-12-0x00000000054D0000-0x0000000005584000-memory.dmp

Filesize
720KB

Download
memory/3996-16-0x0000000008990000-0x000000000899A000-memory.dmp

Filesize
40KB

Download
memory/3996-2-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/3996-8-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/3996-11-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/3996-0-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3996-14-0x0000000005B70000-0x0000000005C22000-memory.dmp

Filesize
712KB

Download
memory/3996-13-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/3996-15-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/3996-3-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3996-19-0x000000000BA30000-0x000000000BA42000-memory.dmp

Filesize
72KB

Download
memory/3996-18-0x000000000BA20000-0x000000000BA2A000-memory.dmp

Filesize
40KB

Download
memory/3996-4-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3996-5-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/3996-6-0x0000000000426000-0x00000000006AE000-memory.dmp

Filesize
2.5MB

Download
memory/3996-7-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/3996-1-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download