d2e7e99b9676576373738837792b8f31f07ba824994ec8e25842257eb4f1e42a | Triage

Analysis

max time kernel
18s
max time network
72s
platform
windows10_x64
resource
win10v20201028
submitted
10/11/2020, 06:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2e7e99b9676576373738837792b8f31f07ba824994ec8e25842257eb4f1e42a.exe
Size

1.1MB
MD5

7f73e61d4aa8e88b9c01cdf57b3f4c32
SHA1

e9a8cf3ece3ece1be52cda36ffba55851ff8f6ad
SHA256

d2e7e99b9676576373738837792b8f31f07ba824994ec8e25842257eb4f1e42a
SHA512

ccb12690e22b134665f0794425f2a1e49099743e075b2c697303453388dba4f6b41c6446e8e3f328a389183b243f94c6ff5a1ee384403240bf7ba46a19ec6cc3

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/2168-1-0x0000000004B80000-0x0000000004B81000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	3152	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2168	WerFault.exe
Token: SeBackupPrivilege	2168	WerFault.exe
Token: SeDebugPrivilege	2168	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d2e7e99b9676576373738837792b8f31f07ba824994ec8e25842257eb4f1e42a.exe
"C:\Users\Admin\AppData\Local\Temp\d2e7e99b9676576373738837792b8f31f07ba824994ec8e25842257eb4f1e42a.exe"
1⤵
PID:3152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 272
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-0-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2168-3-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download