4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb

Analysis

max time kernel
59s
max time network
63s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:33

Target

4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
Size

10.9MB
MD5

301911b0adeaed9fbd662d1e394f7f5f
SHA1

ec5bb587917ea601f804899536a2c0b59531d9be
SHA256

4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb
SHA512

1db09c51cc8664c0ae51e220b1bee7fb157d95bf2b6b64d1e95854d155991426a4206b20632448f606f0e4513319b9207014a560a94ee288d16bb54999a8c7fb
SSDEEP

196608:hqFOkolbnEdwOyfqRH2bZJhVWzpJofBNGwkgt2p9qm1:uyodwOVE/h0zpiA7yhm1

Score

8^/10

upx vmprotect

Drops file in Drivers directory 3 IoCs

Processes:

4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts.ics	4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts.ics	4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1232-57-0x0000000002890000-0x0000000002902000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1232-55-0x0000000000400000-0x0000000000F40000-memory.dmp	vmprotect
behavioral1/memory/1232-56-0x0000000000400000-0x0000000000F40000-memory.dmp	vmprotect
behavioral1/memory/1232-58-0x0000000000400000-0x0000000000F40000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

pid process

1232 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

pid process

1232 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

pid	process
1232	4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
1232	4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe

memory/1232-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1232-55-0x0000000000400000-0x0000000000F40000-memory.dmp

Filesize
11.2MB

Download
memory/1232-56-0x0000000000400000-0x0000000000F40000-memory.dmp

Filesize
11.2MB

Download
memory/1232-57-0x0000000002890000-0x0000000002902000-memory.dmp

Filesize
456KB

Download
memory/1232-58-0x0000000000400000-0x0000000000F40000-memory.dmp

Filesize
11.2MB

Download