47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339 | Triage

Analysis

max time kernel
63s
max time network
66s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339.exe
Size

5.8MB
MD5

ee7ea2d51b2f3df6a3cf328eb21a3e2a
SHA1

2ead66bca61b7ddd1fc5f0fff36efb80f627d522
SHA256

47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339
SHA512

86799e5e82e9ca7b73e546f307cab9eb2f079229c69e51ed7c6600ec8c7b375c213a50f2beb356e9193c6bdf3289b09309460abf80fe00b928c6dafc0d16cdf0

Score

8^/10

vmprotect

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3732	2564	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3732	WerFault.exe
Token: SeBackupPrivilege	3732	WerFault.exe
Token: SeDebugPrivilege	3732	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe
3732	WerFault.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3732-1-0x0000000004640000-0x0000000004641000-memory.dmp	vmprotect

C:\Users\Admin\AppData\Local\Temp\47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339.exe
"C:\Users\Admin\AppData\Local\Temp\47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339.exe"
1⤵
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 500
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3732-0-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3732-1-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3732-5-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download