7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2

General

Target

7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
Size

128KB
MD5

2342a106181d72c9dc39c20631b8cd41
SHA1

7cfabd6ca5ef88ce53586da0c1d9bacd7896eed3
SHA256

7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2
SHA512

68f2fe662b0425302146ab7a3b7233bffb914d46459976b5dfd89d973ed729f5ded670df2d27adb31a862bc59ae88e39b89cce379d16e46730bafb060fad9e75
SSDEEP

3072:Hh1Qy3enbhcsUD/yv4PlkTHx9BAi9RVRoKXYfyhnC:Hcy3+9q6vjWAVynytC

Score

8^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x0007000000013494-54.dat	vmprotect

Deletes itself 1 IoCs

pid	Process
996	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nvuais3.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais4.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais4.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\ldmehhteo.dll	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\mvewia.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais1.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais2.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais5.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais5.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais1.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais2.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais3.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 1904	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	27
PID 1336 wrote to memory of 996	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	28
PID 1336 wrote to memory of 996	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	28
PID 1336 wrote to memory of 996	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	28
PID 1336 wrote to memory of 996	1336	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	28

C:\Users\Admin\AppData\Local\Temp\7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
"C:\Users\Admin\AppData\Local\Temp\7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\ldmehhteo.dll Porn
  2⤵
  PID:1904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7C5217~1.EXE
  2⤵
  - Deletes itself
  PID:996

\Windows\SysWOW64\ldmehhteo.dll

Filesize
108KB

MD5
5f8a5359579310153589d37ec1409db3

SHA1
aaa6eff4a812d0a6368725289fe3a7fe98b8f3ca

SHA256
1ce7792b215f825addee74c350aa0c656a2ea7d4e3f11732c8281b5b509902f7

SHA512
ea1f59e1b34db901aefa00afc7734f91a29cc1350e4aeb21a469945ac58c0bcee11331a7f85316dddbbf497d2b554c895cb2d6d622b4b47e7e3d6f6015e40ab8

Download Submit
memory/1904-57-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download