cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
Size

2.0MB
MD5

6521702ff3e2fb002ac242f0140722e2
SHA1

1c28322092cdf339317680dea963d8ef6d0b2256
SHA256

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838
SHA512

0647fddb48d6fd52148606044c1a7045c41c3fdd8e80c54db7c60b24b15833330666524583cc695fabc84c101d1a53f0c23fc9e1f5dac43e6c11748a3d1237e5
SSDEEP

49152:F4pqoqgMqnb/tOpzXpNwFCRCVDAeAaGI6yFuhzcr8w9:F4YgXb/IhE71JGXy05w

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Consold.exeSearcE.exeSearcE.exe

pid process

3452 Consold.exe
1408 SearcE.exe
4040 SearcE.exe
Loads dropped DLL 3 IoCs

Processes:

Consold.exeSearcE.exeSearcE.exe

pid process

3452 Consold.exe
1408 SearcE.exe
4040 SearcE.exe

pid	process
3452	Consold.exe
1408	SearcE.exe
4040	SearcE.exe

pid	process
3452	Consold.exe
1408	SearcE.exe
4040	SearcE.exe

VMProtect packed file 23 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4160-0-0x0000000000400000-0x00000000008E2000-memory.dmp	vmprotect
behavioral2/memory/4160-1-0x0000000000400000-0x00000000008E2000-memory.dmp	vmprotect
C:\Users\Public\Videos\pgNzb_8\Consold.exe	vmprotect
behavioral2/memory/3452-10-0x00000000006E0000-0x000000000078F000-memory.dmp	vmprotect
C:\Users\Public\Videos\pgNzb_8\Foundation.dll	vmprotect
behavioral2/memory/3452-13-0x00000000746B0000-0x000000007470A000-memory.dmp	vmprotect
behavioral2/memory/3452-14-0x00000000746B0000-0x000000007470A000-memory.dmp	vmprotect
behavioral2/memory/3452-15-0x00000000006E0000-0x000000000078F000-memory.dmp	vmprotect
behavioral2/memory/4160-22-0x0000000000400000-0x00000000008E2000-memory.dmp	vmprotect
behavioral2/memory/1408-31-0x0000000000390000-0x000000000043F000-memory.dmp	vmprotect
behavioral2/memory/1408-33-0x0000000074DF0000-0x0000000074E4A000-memory.dmp	vmprotect
behavioral2/memory/1408-34-0x0000000074DF0000-0x0000000074E4A000-memory.dmp	vmprotect
behavioral2/memory/1408-35-0x0000000000390000-0x000000000043F000-memory.dmp	vmprotect
behavioral2/memory/1408-45-0x0000000074DF0000-0x0000000074E4A000-memory.dmp	vmprotect
behavioral2/memory/4040-47-0x0000000000390000-0x000000000043F000-memory.dmp	vmprotect
behavioral2/memory/4040-46-0x0000000074DF0000-0x0000000074E4A000-memory.dmp	vmprotect
behavioral2/memory/1408-44-0x0000000000390000-0x000000000043F000-memory.dmp	vmprotect
behavioral2/memory/4040-49-0x0000000074DF0000-0x0000000074E4A000-memory.dmp	vmprotect
behavioral2/memory/4040-50-0x0000000000390000-0x000000000043F000-memory.dmp	vmprotect
behavioral2/memory/4040-52-0x0000000074DF0000-0x0000000074E4A000-memory.dmp	vmprotect
behavioral2/memory/4040-53-0x0000000000390000-0x000000000043F000-memory.dmp	vmprotect
behavioral2/memory/3452-56-0x00000000006E0000-0x000000000078F000-memory.dmp	vmprotect
behavioral2/memory/3452-57-0x00000000746B0000-0x000000007470A000-memory.dmp	vmprotect

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4044 4040 WerFault.exe SearcE.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid process

4160 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
4160 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid	pid_target	process	target process
4044	4040	WerFault.exe	SearcE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

pid	process
4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Consold.exesvchost.exeSearcE.exe

description	pid	process
Token: SeDebugPrivilege	3452	Consold.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeDebugPrivilege	1408	SearcE.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe
Token: SeLoadDriverPrivilege	4496	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid process

4160 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
4160 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid	process
4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exeSearcE.exe

description	pid	process	target process
PID 4160 wrote to memory of 3452	4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 4160 wrote to memory of 3452	4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 4160 wrote to memory of 3452	4160	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 1408 wrote to memory of 4040	1408	SearcE.exe	SearcE.exe
PID 1408 wrote to memory of 4040	1408	SearcE.exe	SearcE.exe
PID 1408 wrote to memory of 4040	1408	SearcE.exe	SearcE.exe

C:\Users\Admin\AppData\Local\Temp\cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
"C:\Users\Admin\AppData\Local\Temp\cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Public\Videos\pgNzb_8\Consold.exe
C:\Users\Public\Videos\pgNzb_8\\Consold.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\Videos\39D4C933_8\SearcE.exe
C:\Users\Admin\Videos\39D4C933_8\SearcE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\Videos\39D4C933_8\SearcE.exe
C:\Users\Admin\Videos\39D4C933_8\SearcE.exe -acsi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 608
3⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4040 -ip 4040
1⤵
PID:4608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\pgNzb_8\Consold.exe
Filesize
704KB

MD5
2c6343eafc093ff4e5d4b05cc5c6d1d6

SHA1
6c43ab04823f597649099c2158a59858432f8d6a

SHA256
e6aaa366f8c21588b59d4532e155fbdda89616097b619b83db8050409c62157c

SHA512
1eaa404b4c95e942fa95ea7ac1b5344b7466bdbf9837ef2c592e06bad3976aec45fa17ad957d3b91331f147a9b4e674a65fd584f016bb7ed484c1cf67592081f

Download Submit
C:\Users\Public\Videos\pgNzb_8\Foundation.dll
Filesize
351KB

MD5
472cdc4b6d8944f8ab7d07fae2d6e2fb

SHA1
7b69ea87786cf743b6c9ae10af6b2d68079421ea

SHA256
f1c38fbf7617b95c5759194688d10b119a5558b5c5777cea96a4dfc09c7b8369

SHA512
b58e823b3d1ea0617ea85c73c6606aaa6ba3e1811c4abbe13580a10aef2c7a2d336dd4c11b4dad03aa5464b497782066e0524c13b55e804ea4d07a630df571f3

Download Submit
C:\Users\Public\Videos\pgNzb_8\ZP.log
Filesize
148KB

MD5
81c3afd83c9ad4dfe2ef851c8b36776c

SHA1
de120038e0ea1fc4605f87b2d12b5e438455b3df

SHA256
2584fca73c9e414327f23d18b161ddabec47c40f07fa3a9f01143b21df3e77ff

SHA512
479e07b77fb7ee2161ed4776d9a9c2f9dfc63e1f520a5b1365a1f16b83893deb0b41dbc2012d3b5faee6279920517005a20fbdbdbeaf8cfaccecf6eccf9b9a95

Download Submit
memory/1408-45-0x0000000074DF0000-0x0000000074E4A000-memory.dmp

Filesize
360KB

Download
memory/1408-41-0x00000000018B0000-0x0000000001907000-memory.dmp

Filesize
348KB

Download
memory/1408-44-0x0000000000390000-0x000000000043F000-memory.dmp

Filesize
700KB

Download
memory/1408-40-0x00000000018B0000-0x0000000001907000-memory.dmp

Filesize
348KB

Download
memory/1408-39-0x00000000018B0000-0x0000000001907000-memory.dmp

Filesize
348KB

Download
memory/1408-37-0x00000000018B0000-0x0000000001907000-memory.dmp

Filesize
348KB

Download
memory/1408-31-0x0000000000390000-0x000000000043F000-memory.dmp

Filesize
700KB

Download
memory/1408-38-0x00000000018B0000-0x0000000001907000-memory.dmp

Filesize
348KB

Download
memory/1408-35-0x0000000000390000-0x000000000043F000-memory.dmp

Filesize
700KB

Download
memory/1408-34-0x0000000074DF0000-0x0000000074E4A000-memory.dmp

Filesize
360KB

Download
memory/1408-33-0x0000000074DF0000-0x0000000074E4A000-memory.dmp

Filesize
360KB

Download
memory/3452-17-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-58-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-23-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-21-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-19-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-20-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-18-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-48-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-15-0x00000000006E0000-0x000000000078F000-memory.dmp

Filesize
700KB

Download
memory/3452-14-0x00000000746B0000-0x000000007470A000-memory.dmp

Filesize
360KB

Download
memory/3452-13-0x00000000746B0000-0x000000007470A000-memory.dmp

Filesize
360KB

Download
memory/3452-10-0x00000000006E0000-0x000000000078F000-memory.dmp

Filesize
700KB

Download
memory/3452-57-0x00000000746B0000-0x000000007470A000-memory.dmp

Filesize
360KB

Download
memory/3452-56-0x00000000006E0000-0x000000000078F000-memory.dmp

Filesize
700KB

Download
memory/3452-55-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/3452-54-0x0000000002E70000-0x0000000002EC7000-memory.dmp

Filesize
348KB

Download
memory/4040-51-0x0000000003080000-0x00000000030D7000-memory.dmp

Filesize
348KB

Download
memory/4040-49-0x0000000074DF0000-0x0000000074E4A000-memory.dmp

Filesize
360KB

Download
memory/4040-50-0x0000000000390000-0x000000000043F000-memory.dmp

Filesize
700KB

Download
memory/4040-52-0x0000000074DF0000-0x0000000074E4A000-memory.dmp

Filesize
360KB

Download
memory/4040-53-0x0000000000390000-0x000000000043F000-memory.dmp

Filesize
700KB

Download
memory/4040-46-0x0000000074DF0000-0x0000000074E4A000-memory.dmp

Filesize
360KB

Download
memory/4040-47-0x0000000000390000-0x000000000043F000-memory.dmp

Filesize
700KB

Download
memory/4160-22-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4160-1-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4160-5-0x00000000773A0000-0x00000000773A1000-memory.dmp

Filesize
4KB

Download
memory/4160-0-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download