fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
Size

11.5MB
MD5

b4bbc7add564ad17cf7164a6f02e1dea
SHA1

f9357741e682da8dcdef33401cc28788a5aa2454
SHA256

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb
SHA512

9a820c6c82a4e4728a94941cbbc6def7028f589b98ed8a6116f19dbd56c596fa661ef3a14f7385541b57fad59e1dcfc2c64410131f4afc90c4521f923aca7899
SSDEEP

196608:uz4KsOBmKEjL2TPLPK3VIN1kKyVeEXx29BF10QpIRRh3eCFb7gC3D9J8:7f2bzK3VskKyVTXxQF1o/Xt8

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid process

2344 fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
Loads dropped DLL 2 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exefa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid process

1280 fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2344 fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid	process
2344	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1280-0-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral1/memory/1280-1-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	vmprotect
behavioral1/memory/2344-14-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral1/memory/2344-15-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral1/memory/1280-20-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral1/memory/2344-26-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

description	ioc	process
File opened (read-only)	\??\B:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\H:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\V:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\G:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\O:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\T:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\W:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\Z:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\A:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\E:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\I:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\L:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\N:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\S:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\U:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\Y:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\J:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\K:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\M:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\P:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\Q:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\R:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\X:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exefa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid	process
1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2344	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2344	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2344	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2344	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2344	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

description	pid	process	target process
PID 1280 wrote to memory of 2344	1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
PID 1280 wrote to memory of 2344	1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
PID 1280 wrote to memory of 2344	1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
PID 1280 wrote to memory of 2344	1280	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

C:\Users\Admin\AppData\Local\Temp\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
"C:\Users\Admin\AppData\Local\Temp\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b40fd3acf724fa48c272b5bcbccd8a9d
Filesize
12B

MD5
5fb77dd8495a9c5600b1c77a51c1e0a8

SHA1
0d77e654ced5e7c9b2f560f7eb686f29d2004c46

SHA256
839becec7f32d84dd55540de48548ec563006ea108a122cbcdb6a3df9fb01f94

SHA512
a30faac75aaef4d2bbeaf66d7cc263598c37def806a0dcd5074d98fce0cfba5344981ae6e197af8359e1f5280417e9809e2e47b80341fb28f39270d201bfa64a

Download Submit
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
Filesize
11.5MB

MD5
b4bbc7add564ad17cf7164a6f02e1dea

SHA1
f9357741e682da8dcdef33401cc28788a5aa2454

SHA256
fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb

SHA512
9a820c6c82a4e4728a94941cbbc6def7028f589b98ed8a6116f19dbd56c596fa661ef3a14f7385541b57fad59e1dcfc2c64410131f4afc90c4521f923aca7899

Download Submit
memory/1280-5-0x00000000004C5000-0x00000000004C6000-memory.dmp

Filesize
4KB

Download
memory/1280-0-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/1280-3-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1280-13-0x0000000005810000-0x00000000067A6000-memory.dmp

Filesize
15.6MB

Download
memory/1280-20-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/1280-1-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/2344-14-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/2344-15-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/2344-24-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2344-26-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/2344-27-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download