update[.]7z | Triage

Sharing

General

Target

update.7z
Size

5.3MB
MD5

79695e161967335b12798c150aee3405
SHA1

86a028b2ac7675a803358876aaae5f8c1a4facca
SHA256

eabde0185b4ff5b906aee5d9e6fd96cdbfa49ba747b240d4785ee680eb4d0a3d
SHA512

c64a9df20a69f3bed8f7f23763f988581eb9abde8818e50154ceb5d6980a36642a280388ce0cdfc18027aa4c97278c4e0dcc5dd29c861be0a32b96e659e62bd5
SSDEEP

98304:pu1Pbky0qzc7Az4sOKIs8FrUihVC9XHQi4zGExeDGdKuNDsh:pQvOAzzFIswrUihWXwi4q1u5sh

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
static1/unpack001/update.exe	vmprotect

Files

update.7z
.7z

Password: __=infected--=
update.exe
.exe windows x86

Password: __=infected--=

d7c894f13df0560219eef2c3c2178ce2

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeEndPeriod

ws2_32

WSAGetOverlappedResult

kernel32

WriteFile
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

wtsapi32

WTSSendMessageW

user32

GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

Sections

.text
Size: - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 882B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: - Virtual size: 4B

IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ