Analysis
-
max time kernel
53s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 02:14
Behavioral task
behavioral1
Sample
protected_sacrifice.exe
Resource
win7-20240508-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
protected_sacrifice.exe
Resource
win10v2004-20240508-en
4 signatures
150 seconds
General
-
Target
protected_sacrifice.exe
-
Size
8.5MB
-
MD5
5e04815f52a1ab2dc4b18f293e542ddd
-
SHA1
a8c9c6e0644523668ade7427477811b843b19187
-
SHA256
60dc3e25f1cfac87bc4827d8379606a450e358767efcc79b0bf460c006dc57a7
-
SHA512
d17c89610b369f06646cbdba1ee874810b038d81d0f66be540a97f4a3e92afb49a26af99cdfa34017db2002375af6ff1c37c149c342a213dcb892ba7542b10cc
-
SSDEEP
196608:u0duRAkHBahImnxr5y0u9HYbDbZxgZ6KvQ8QflFGS6C:u0s6khaLyKbDbZxgZrOflo
Score
7/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4412-7-0x00007FF7F3510000-0x00007FF7F453A000-memory.dmp vmprotect behavioral2/memory/4412-9-0x00007FF7F3510000-0x00007FF7F453A000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
protected_sacrifice.exepid process 4412 protected_sacrifice.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
protected_sacrifice.exepid process 4412 protected_sacrifice.exe 4412 protected_sacrifice.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
protected_sacrifice.execmd.exedescription pid process target process PID 4412 wrote to memory of 4700 4412 protected_sacrifice.exe cmd.exe PID 4412 wrote to memory of 4700 4412 protected_sacrifice.exe cmd.exe PID 4700 wrote to memory of 1992 4700 cmd.exe certutil.exe PID 4700 wrote to memory of 1992 4700 cmd.exe certutil.exe PID 4700 wrote to memory of 5036 4700 cmd.exe find.exe PID 4700 wrote to memory of 5036 4700 cmd.exe find.exe PID 4700 wrote to memory of 4200 4700 cmd.exe find.exe PID 4700 wrote to memory of 4200 4700 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\protected_sacrifice.exe"C:\Users\Admin\AppData\Local\Temp\protected_sacrifice.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\protected_sacrifice.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\protected_sacrifice.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4412-0-0x00007FF7F36F3000-0x00007FF7F3CC0000-memory.dmpFilesize
5.8MB
-
memory/4412-2-0x00007FFF081E0000-0x00007FFF081E2000-memory.dmpFilesize
8KB
-
memory/4412-1-0x00007FFF081D0000-0x00007FFF081D2000-memory.dmpFilesize
8KB
-
memory/4412-7-0x00007FF7F3510000-0x00007FF7F453A000-memory.dmpFilesize
16.2MB
-
memory/4412-8-0x00007FF7F36F3000-0x00007FF7F3CC0000-memory.dmpFilesize
5.8MB
-
memory/4412-9-0x00007FF7F3510000-0x00007FF7F453A000-memory.dmpFilesize
16.2MB