8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b

General

Target

tester.exe
Size

310KB
MD5

79caafc8894b767c5553379e4aacc563
SHA1

8cb3a7e1feb699ffbc168c31f39f17e60b567cd6
SHA256

8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
SHA512

d50c4c94ec84c445822ceab8e188bbbea9593122b558cd214610ab8477c6c97ab028fe2a679e613841eb61418c62972f3bb1d927fa489cbcc9e28c4de7db0be7

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

936 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3844 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tester.exe

pid process

3920 tester.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tester.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 3920 tester.exe
Token: SeDebugPrivilege 3844 taskkill.exe

flow	ioc
13	ip-api.com

pid	process
936	timeout.exe

pid	process
3844	taskkill.exe

pid	process
3920	tester.exe

description	pid	process
Token: SeDebugPrivilege	3920	tester.exe
Token: SeDebugPrivilege	3844	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

tester.execmd.exe

description	pid	process	target process
PID 3920 wrote to memory of 1356	3920	tester.exe	cmd.exe
PID 3920 wrote to memory of 1356	3920	tester.exe	cmd.exe
PID 1356 wrote to memory of 2108	1356	cmd.exe	chcp.com
PID 1356 wrote to memory of 2108	1356	cmd.exe	chcp.com
PID 1356 wrote to memory of 3844	1356	cmd.exe	taskkill.exe
PID 1356 wrote to memory of 3844	1356	cmd.exe	taskkill.exe
PID 1356 wrote to memory of 936	1356	cmd.exe	timeout.exe
PID 1356 wrote to memory of 936	1356	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\tester.exe
"C:\Users\Admin\AppData\Local\Temp\tester.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp59FD.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2108

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 3920
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp59FD.tmp.bat
MD5
b019357e8dbd66b413208fa21d089876

SHA1
caee2b3a100015a4104d7459909770d630d68bf0

SHA256
df567cc81c89a378683221ad1e34e0bfd49d85967f2bae036d640c8869c60b3a

SHA512
660ba8746437bda3f6f6bc0afc80dcb544615d5cb8b5271b814bf65bea8b1850327494374edcbdae899cce0e42736519ef0079c0a309f48e29b8f45b0dbf944e

Download Submit
memory/936-11-0x0000000000000000-mapping.dmp

Download
memory/1356-7-0x0000000000000000-mapping.dmp

Download
memory/2108-9-0x0000000000000000-mapping.dmp

Download
memory/3844-10-0x0000000000000000-mapping.dmp

Download
memory/3920-2-0x00007FF90B900000-0x00007FF90C2EC000-memory.dmp

Filesize
9.9MB

Download
memory/3920-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/3920-5-0x0000000002830000-0x00000000028A0000-memory.dmp

Filesize
448KB

Download
memory/3920-6-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads