2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 03:03

Target

2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
Size

3.5MB
MD5

2bbeaf65fe70ffad6405332b7e19b43e
SHA1

544c3fe26871bb2d3f940c6b1e466e2280af7df5
SHA256

2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8
SHA512

1e11b36439550995616bd98ea647ce45f2055d2c1022f9fd25536f48dd00d5487185b668e2c543f6d79ff9c34fb30ab74c50de5218ca160274f96fd473be569f
SSDEEP

98304:DTp2wpw5ufHPJ0jqDp6FYskEhipjhj8EJqaF1t:D7w5KPqG96+skC5QqaF1

Score

8^/10

vmprotect

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/4884-132-0x0000000002A00000-0x0000000002BCD000-memory.dmp	vmprotect
behavioral2/memory/4884-134-0x0000000002A00000-0x0000000002BCD000-memory.dmp	vmprotect
behavioral2/memory/4884-135-0x0000000002A00000-0x0000000002BCD000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe

pid process

4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe

pid	process
4884	2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
4884	2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe

pid process

4884 2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3292 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3292 AUDIODG.EXE

description	pid	process
Token: 33	3292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3292	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe

pid	process
4884	2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
4884	2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
4884	2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe
4884	2ba9a9856c134f0ec9bb3a55e6acf5f1e94ddcf0361d639e4b146b72db1036b8.exe

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x2e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
532KB

MD5
d6580cc678d0a80596628cd3cab61ff1

SHA1
db1390e3e7f711187fd4313473f1553308701414

SHA256
265aa2c0a2fa572e6787560a4942b5f5ae72cc857b99ede35c29305794b81ab7

SHA512
f990e2d25d03e01ca848a3f20d4c3a572cea7a83c6bf07dcfa71eea20c3b0579a358c73419b52dfeaf9e745967622b1c262c9fa9fcf7a96d325b1b690a2d6662

Download Submit
memory/4884-132-0x0000000002A00000-0x0000000002BCD000-memory.dmp

Filesize
1.8MB

Download
memory/4884-134-0x0000000002A00000-0x0000000002BCD000-memory.dmp

Filesize
1.8MB

Download
memory/4884-135-0x0000000002A00000-0x0000000002BCD000-memory.dmp

Filesize
1.8MB

Download
memory/4884-140-0x0000000002A00000-0x0000000002BCD000-memory.dmp

Filesize
1.8MB

Download