7d90ea4b9f44f5fc3ca56ade5d9f7fd766bc0737ded8ec619abd8155cd0dfa40

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/03/2023, 02:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
Size

9.8MB
MD5

c74db1c18bb808ffca46773f66c8d229
SHA1

c3d0a2360be7e31c3e200fc1b304252d2055ddeb
SHA256

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96
SHA512

fc12876e52c7f81c921daa70360bb831536727f6134e174787154368c03c521129c876174b7709739cea1e8bd4121a4e298903a1e48a4e23321e322e58016c63
SSDEEP

196608:/pp+DPIQAjWjFOz3miT1VYMCwt/UaadQda6h+2qj7/UFHhpyEQ:/pQDPIQ1jkCY/UaAiEY7gEQ

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1960-117-0x0000000000400000-0x000000000179B000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1844	560	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	29
PID 560 wrote to memory of 1844	560	svchost.exe	30
PID 560 wrote to memory of 1844	560	svchost.exe	30
PID 560 wrote to memory of 1844	560	svchost.exe	30
PID 560 wrote to memory of 1844	560	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
"C:\Users\Admin\AppData\Local\Temp\b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 52
    3⤵
    - Program crash
    PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-186-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1960-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-56-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-57-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1960-65-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1960-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-70-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/1960-71-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/1960-73-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1960-72-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1960-74-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1960-76-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-75-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-77-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-79-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1960-78-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1960-80-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1960-81-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1960-82-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1960-83-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1960-88-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1960-89-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1960-87-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1960-86-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1960-85-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1960-84-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1960-91-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1960-90-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1960-92-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1960-94-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1960-93-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1960-95-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1960-97-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1960-96-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1960-98-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1960-100-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1960-99-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1960-101-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1960-103-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1960-102-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1960-104-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1960-106-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1960-105-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1960-107-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1960-109-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1960-108-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1960-110-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1960-111-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1960-112-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1960-113-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1960-114-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1960-115-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1960-116-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1960-117-0x0000000000400000-0x000000000179B000-memory.dmp

Filesize
19.6MB

Download