File name:	Vimped.exe
Full analysis:	https://app.any.run/tasks/fc583b0d-33d7-4360-814b-efc61507f70a
Verdict:	Malicious activity
Analysis date:	August 15, 2024, 14:04:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	EA51A0D165AA837310218755D8F9FAE6
SHA1:	4C0A5955D7C35D1F0D60B16C30AE1515BA6DF5B4
SHA256:	279BA9ACF9C05DFB7F91F56436A1F8C8A642C75128F32F9DD75496FA8F74C3AA
SSDEEP:	98304:tHfIKtXHAqvMi+nNF9bNY63RgIb1dPakI28wEFP50NAXT+Zb0W+HdTYw7rsRjB7g:x5RyijZwvHunP+aPT

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:06:29 12:58:30+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.37
CodeSize:	1012736
InitializedDataSize:	408064
UninitializedDataSize:	-
EntryPoint:	0x1581058
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(6492) Vimped.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DusmSvc\Settings
Operation:	write	Name:	EthernetResetTime
Value: 5BC9EE8F1DEFDA01
(PID) Process:	(7012) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7012) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7012) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7012) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(7068) Vimped.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DusmSvc\Settings
Operation:	write	Name:	EthernetResetTime
Value: F09454941DEFDA01
(PID) Process:	(4604) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4604) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4604) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4604) ldrupd.bin	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
7012	ldrupd.bin	C:\Users\admin\Desktop\Vimped.exe		executable
		MD5:85877D16342CEA80354627B1E26BD1A5	SHA256:309D16AF0620DA1D4811BDBFFAC56CBE4CFBBB2B1A190073571E7EFE0B3F6B2A
7068	Vimped.exe	C:\Users\admin\AppData\Local\ldrupd.bin		executable
		MD5:A24978A6B77E2CD99823E24C6EB4D055	SHA256:80AC94C086EB6E52BC3BBEBD86E0795F6CB7476153AF0C767B9AE4B7E9931140
4604	ldrupd.bin	C:\Users\admin\Desktop\Vimped.exe		executable
		MD5:DAB3A08EA209356F50550C6EE1B3E6DD	SHA256:E5498F96CB76C5D3DEF0EBB08B9CDFB3EA80A9AA9A607202EC99AFBC9FBBF605
6492	Vimped.exe	C:\Users\admin\AppData\Local\ldrupd.bin		executable
		MD5:A24978A6B77E2CD99823E24C6EB4D055	SHA256:80AC94C086EB6E52BC3BBEBD86E0795F6CB7476153AF0C767B9AE4B7E9931140

PID	Process	IP	Domain	ASN	CN	Reputation
3028	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
1248	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3028	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6492	Vimped.exe	51.222.31.217:3333	—	OVH SAS	CA	unknown
4324	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7068	Vimped.exe	51.222.31.217:3333	—	OVH SAS	CA	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted

General Info

Vimped.exe

EA51A0D165AA837310218755D8F9FAE6

4C0A5955D7C35D1F0D60B16C30AE1515BA6DF5B4

279BA9ACF9C05DFB7F91F56436A1F8C8A642C75128F32F9DD75496FA8F74C3AA

98304:tHfIKtXHAqvMi+nNF9bNY63RgIb1dPakI28wEFP50NAXT+Zb0W+HdTYw7rsRjB7g:x5RyijZwvHunP+aPT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the BIOS version

Drops the executable file immediately after the start

Connects to unusual port

Executable content was dropped or overwritten

Starts application with an unusual extension

Reads the date of Windows installation

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Searches for installed software

INFO

Reads the computer name

Checks supported languages

Process checks whether UAC notifications are on

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads product name

Reads Windows Product ID

Process checks computer location settings

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings