7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2

Analysis

max time kernel
134s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 22:53

Target

7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
Size

128KB
MD5

2342a106181d72c9dc39c20631b8cd41
SHA1

7cfabd6ca5ef88ce53586da0c1d9bacd7896eed3
SHA256

7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2
SHA512

68f2fe662b0425302146ab7a3b7233bffb914d46459976b5dfd89d973ed729f5ded670df2d27adb31a862bc59ae88e39b89cce379d16e46730bafb060fad9e75
SSDEEP

3072:Hh1Qy3enbhcsUD/yv4PlkTHx9BAi9RVRoKXYfyhnC:Hcy3+9q6vjWAVynytC

Score

8^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/files/0x0003000000022dc3-132.dat	vmprotect

Loads dropped DLL 1 IoCs

pid	Process
2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nvuais2.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais3.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais4.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais4.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais5.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\mvewia.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais1.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais1.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\vixgtsfep.dll	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File created	C:\Windows\SysWOW64\nvuais2.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais3.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
File opened for modification	C:\Windows\SysWOW64\nvuais5.dat	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4296	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	83
PID 2860 wrote to memory of 4296	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	83
PID 2860 wrote to memory of 4296	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	83
PID 2860 wrote to memory of 4268	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	84
PID 2860 wrote to memory of 4268	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	84
PID 2860 wrote to memory of 4268	2860	7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe	84

C:\Users\Admin\AppData\Local\Temp\7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe
"C:\Users\Admin\AppData\Local\Temp\7c52172af8ae6fadbfcc2ba18401a293649e5a8670dda9a8f78f2f11b0e5b2b2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\vixgtsfep.dll Porn
  2⤵
  PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7C5217~1.EXE
  2⤵
  PID:4268

C:\Windows\SysWOW64\vixgtsfep.dll

Filesize
108KB

MD5
5f8a5359579310153589d37ec1409db3

SHA1
aaa6eff4a812d0a6368725289fe3a7fe98b8f3ca

SHA256
1ce7792b215f825addee74c350aa0c656a2ea7d4e3f11732c8281b5b509902f7

SHA512
ea1f59e1b34db901aefa00afc7734f91a29cc1350e4aeb21a469945ac58c0bcee11331a7f85316dddbbf497d2b554c895cb2d6d622b4b47e7e3d6f6015e40ab8

Download Submit