4d34911cc6d9d7b6f8eb4e43a384995af24479a2f7b9c902d26a584aeb460780

Analysis

max time kernel
76s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 06:17

Target

b0e9448560ee599a965956a5efb0227b.exe
Size

278KB
MD5

b0e9448560ee599a965956a5efb0227b
SHA1

b5eb428385e2e3f47989b3c799e299766c64322a
SHA256

4d34911cc6d9d7b6f8eb4e43a384995af24479a2f7b9c902d26a584aeb460780
SHA512

173c469ae4c0bc88c5a57c65e78f970b1b1e04c35c671380df1b2f8c1fdb359b8772e1b5b9acde283f2af4e9fcb3dc7e25232c833da9982df7be2c017226de03
SSDEEP

3072:I54a/hIdKf8TfmRgq2QI39d7P3pjTvcEOgDX/hA45baARY5MtF9vdRzQKlfsB0Ni:cpudlTfLF5v1A4xav5YpdaKldfhfoq2

Score

8^/10

themida

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

resource	yara_rule
behavioral2/memory/1784-136-0x0000000000830000-0x0000000000EF1000-memory.dmp	themida

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	b0e9448560ee599a965956a5efb0227b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85
PID 1656 wrote to memory of 1784	1656	b0e9448560ee599a965956a5efb0227b.exe	85

C:\Users\Admin\AppData\Local\Temp\b0e9448560ee599a965956a5efb0227b.exe
"C:\Users\Admin\AppData\Local\Temp\b0e9448560ee599a965956a5efb0227b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\b0e9448560ee599a965956a5efb0227b.exe
  "C:\Users\Admin\AppData\Local\Temp\b0e9448560ee599a965956a5efb0227b.exe"
  2⤵
  PID:1784

memory/1656-132-0x0000000000D70000-0x0000000000DBC000-memory.dmp

Filesize
304KB

Download
memory/1656-133-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/1784-136-0x0000000000830000-0x0000000000EF1000-memory.dmp

Filesize
6.8MB

Download