6c716a49ea22e7d028ccde485d5c4ddc236369c9b60eedd3602d0172d42a5b9c

Analysis

max time kernel
55s
max time network
58s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2023, 23:39

Target

Permanent_Loader.exe
Size

5.1MB
MD5

adafde1dc3ab8eecd5e611cf6427dbf5
SHA1

424245983e0996571c989f6d6f5236702fda800e
SHA256

6c716a49ea22e7d028ccde485d5c4ddc236369c9b60eedd3602d0172d42a5b9c
SHA512

ad418c58ab787934b42420a5c43e0066f2732d5c9594f21496013931aaddca77bb4f39547dd7eb02e1aad3330d573bae72abf3e57cb4341e81da53f0e661b58d
SSDEEP

98304:eq/WT/VbNl7PAk96LpTVfCjENZvSHj/F9gY2lF/N:5uNndALpVfCj68Hx9l2L1

Score

7^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/3584-119-0x0000000140000000-0x00000001408D9000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3584	Permanent_Loader.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	3584	WerFault.exe	65

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3132	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3584	Permanent_Loader.exe
3584	Permanent_Loader.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 368	3584	Permanent_Loader.exe	67
PID 3584 wrote to memory of 368	3584	Permanent_Loader.exe	67
PID 368 wrote to memory of 4396	368	cmd.exe	68
PID 368 wrote to memory of 4396	368	cmd.exe	68
PID 368 wrote to memory of 2180	368	cmd.exe	69
PID 368 wrote to memory of 2180	368	cmd.exe	69
PID 368 wrote to memory of 2172	368	cmd.exe	70
PID 368 wrote to memory of 2172	368	cmd.exe	70
PID 3584 wrote to memory of 1804	3584	Permanent_Loader.exe	71
PID 3584 wrote to memory of 1804	3584	Permanent_Loader.exe	71
PID 1804 wrote to memory of 4116	1804	cmd.exe	72
PID 1804 wrote to memory of 4116	1804	cmd.exe	72
PID 4116 wrote to memory of 3132	4116	cmd.exe	75
PID 4116 wrote to memory of 3132	4116	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe" MD5
    3⤵
    PID:4396
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2180
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3584 -s 1448
  2⤵
  - Program crash
  PID:3140

memory/3584-117-0x00007FFEAD800000-0x00007FFEAD802000-memory.dmp

Filesize
8KB

Download
memory/3584-118-0x00007FFEAD810000-0x00007FFEAD812000-memory.dmp

Filesize
8KB

Download
memory/3584-119-0x0000000140000000-0x00000001408D9000-memory.dmp

Filesize
8.8MB

Download