fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb

Analysis

max time kernel
148s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
Size

11.5MB
MD5

b4bbc7add564ad17cf7164a6f02e1dea
SHA1

f9357741e682da8dcdef33401cc28788a5aa2454
SHA256

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb
SHA512

9a820c6c82a4e4728a94941cbbc6def7028f589b98ed8a6116f19dbd56c596fa661ef3a14f7385541b57fad59e1dcfc2c64410131f4afc90c4521f923aca7899
SSDEEP

196608:uz4KsOBmKEjL2TPLPK3VIN1kKyVeEXx29BF10QpIRRh3eCFb7gC3D9J8:7f2bzK3VskKyVTXxQF1o/Xt8

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid process

4920 fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid	process
4920	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2464-0-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral2/memory/2464-1-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	vmprotect
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	vmprotect
behavioral2/memory/4920-10-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral2/memory/4920-11-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral2/memory/2464-14-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral2/memory/4920-13-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral2/memory/4920-18-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect
behavioral2/memory/4920-19-0x0000000000400000-0x0000000001396000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

description	ioc	process
File opened (read-only)	\??\V:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\B:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\G:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\K:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\M:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\S:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\T:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\Q:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\A:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\L:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\N:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\O:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\U:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\X:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\W:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\Y:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\E:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\H:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\I:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\J:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\P:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\R:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
File opened (read-only)	\??\Z:	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exefa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

pid	process
2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
4920	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
4920	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
4920	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
4920	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
4920	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

description	pid	process	target process
PID 2464 wrote to memory of 4920	2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
PID 2464 wrote to memory of 4920	2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
PID 2464 wrote to memory of 4920	2464	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe	fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe

C:\Users\Admin\AppData\Local\Temp\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
"C:\Users\Admin\AppData\Local\Temp\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b40fd3acf724fa48c272b5bcbccd8a9d
Filesize
12B

MD5
5fb77dd8495a9c5600b1c77a51c1e0a8

SHA1
0d77e654ced5e7c9b2f560f7eb686f29d2004c46

SHA256
839becec7f32d84dd55540de48548ec563006ea108a122cbcdb6a3df9fb01f94

SHA512
a30faac75aaef4d2bbeaf66d7cc263598c37def806a0dcd5074d98fce0cfba5344981ae6e197af8359e1f5280417e9809e2e47b80341fb28f39270d201bfa64a

Download Submit
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
Filesize
4.9MB

MD5
9e407ddd49443791dc269f83e5f5b95d

SHA1
069c4f0fb03ad487790e0af155befce16b30cc84

SHA256
03dce5c87a10761d154205e08d77b2ae0d750a19316b1902aef705e6b1ccff9e

SHA512
1926830fd275851b3e51bb83e19df0cc553a8214309b76f2178cc7f021cf987558671357f8c28128246fbc7a3afee05d0d2da817be45294f2b83d1f52c522f1f

Download Submit
C:\Æß¾õºÚµ¶\fa244a01456518844893ff4c12c08ba3f1760f1f4543e466a2ad10c2dfdd2eeb.exe
Filesize
3.9MB

MD5
4069192cbf3d8a7f8b3d51929fffa6a9

SHA1
c51e44bd37d005a07f09541b299b6f88c6350e68

SHA256
29af8e29920bceac15890b3d52e8349823e556e8001c91278826b819f7eda320

SHA512
55ccaef5c9331916c23fceba3d6adae17c281a43cc52228708fc71c62cd1caf1fee519cd786122e9f038f06935ab353f38a38db92460b3a63669b72db58b2bba

Download Submit
memory/2464-0-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/2464-1-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/2464-3-0x00000000004C5000-0x00000000004C6000-memory.dmp

Filesize
4KB

Download
memory/2464-14-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/4920-10-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/4920-11-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/4920-13-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/4920-18-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download
memory/4920-19-0x0000000000400000-0x0000000001396000-memory.dmp

Filesize
15.6MB

Download