d3f0b6a5e1797be376a82e6887f414cfb448e4fcc87d9d42c2672b387f0e1f3c | Triage

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/02/2023, 22:00

Sharing

Report Analysis Logs

General

Target

stringless.exe
Size

2.6MB
MD5

7fb60ff8c9849f18a1cec88180389ef4
SHA1

4e7633c8e3b9b23a63e89b41f47918dbc7f78059
SHA256

d3f0b6a5e1797be376a82e6887f414cfb448e4fcc87d9d42c2672b387f0e1f3c
SHA512

12237d943a687ff3af4064d2870eebe13d1cfbf70147270b39f7d400ec5a1ad069754236759273045be7f0e41e73e539076a7202605f45b45aef979af90178d1
SSDEEP

49152:pDCmaU6plqLgopWRS0n9q6/XGxlbEPxlBst4naV4ZVTp:ppaplDS09pXGxdqbWUTp

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1652-54-0x0000000001330000-0x00000000018EE000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	1652	WerFault.exe	26

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 808	1652	stringless.exe	28
PID 1652 wrote to memory of 808	1652	stringless.exe	28
PID 1652 wrote to memory of 808	1652	stringless.exe	28

C:\Users\Admin\AppData\Local\Temp\stringless.exe
"C:\Users\Admin\AppData\Local\Temp\stringless.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1652 -s 852
  2⤵
  - Program crash
  PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-54-0x0000000001330000-0x00000000018EE000-memory.dmp

Filesize
5.7MB

Download
memory/1652-57-0x000000001CDA0000-0x000000001CF1C000-memory.dmp

Filesize
1.5MB

Download
memory/1652-58-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1652-59-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download