f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b

General

Target

f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe
Size

814KB
MD5

57e4a70c18d7145fa77407a29fa2dbdc
SHA1

5ac55051c6a74c3d983ec6bb6b7a9d9d6b6094c0
SHA256

f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b
SHA512

8b76173e78fb3af90cd274a5458ed5ff5d1b1a8d8533e934d53746e8762551512e198ede2aea4be779b72e16abdfa614a585787561b02b8822965edeaf176671
SSDEEP

24576:OiqmPH18VKQjVHhT4n/a20wt2jnmGwqbl7aCCwKAJ/s:HqIV4Lj9ZA/a20wtgbl+CC5G/s

Score

8^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-68-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-70-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-72-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-69-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-74-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-76-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-78-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-80-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-82-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-84-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-86-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-90-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-94-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-92-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-88-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-98-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-96-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-100-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-102-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-104-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-106-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-108-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-110-0x0000000000780000-0x00000000007BE000-memory.dmp	upx
behavioral1/memory/1716-112-0x0000000000780000-0x00000000007BE000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1716-55-0x0000000000400000-0x00000000005E4000-memory.dmp	vmprotect
behavioral1/memory/1716-57-0x0000000000400000-0x00000000005E4000-memory.dmp	vmprotect
behavioral1/memory/1716-60-0x0000000000400000-0x00000000005E4000-memory.dmp	vmprotect
behavioral1/memory/1716-62-0x0000000000400000-0x00000000005E4000-memory.dmp	vmprotect
behavioral1/memory/1716-67-0x0000000000400000-0x00000000005E4000-memory.dmp	vmprotect
behavioral1/memory/1716-111-0x0000000000400000-0x00000000005E4000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1716	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe
1716	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe
1716	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28
PID 1224 wrote to memory of 1716	1224	f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe	28

C:\Users\Admin\AppData\Local\Temp\f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe
"C:\Users\Admin\AppData\Local\Temp\f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\f961ae00a06e9b663487e222c7463f3f74c1473ad7727da43bc08259e24b426b.exe
  0
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1716-54-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-55-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-57-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-60-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-62-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-66-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1716-67-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-68-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-70-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-72-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-69-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-74-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-76-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-78-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-80-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-82-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-84-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-86-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-90-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-94-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-92-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-88-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-98-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-96-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-100-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-102-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-104-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-106-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-108-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-110-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1716-111-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1716-112-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing