6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63

General

Target

6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
Size

85KB
MD5

cbf4bfe048428c75658a97636038d4f2
SHA1

8d9683a259e1b2b353d6d172ce1b3a4f3eef3e98
SHA256

6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63
SHA512

687460e67d9e875db8a201f881991e7eacb82c86799783a4d3d7cdd684649dbc8a868afe62fbf1fddeb90e72cc33dfe5836ba8b0ee15fe15d8dbdb64c2f758a1
SSDEEP

1536:A8ZSadagxpHbGGpT74d+pM3tdlokqYbriJAJwe3hiefMZck54rQMrXg:RdaO79p74d+y9bqYfiyJwe3hiefMnur/

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1480-54-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral1/memory/1480-55-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe

pid process

1480 6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe

pid	process
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe

description	pid	process	target process
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE
PID 1480 wrote to memory of 1380	1480	6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe
"C:\Users\Admin\AppData\Local\Temp\6566e37de9f53f9181ed44365f0d92340923feec9e67a7f5a59bb9ef7fd49c63.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1480-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads