6c716a49ea22e7d028ccde485d5c4ddc236369c9b60eedd3602d0172d42a5b9c

Analysis

max time kernel
150s
max time network
97s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30/05/2023, 23:40

Target

Permanent_Loader.exe
Size

5.1MB
MD5

adafde1dc3ab8eecd5e611cf6427dbf5
SHA1

424245983e0996571c989f6d6f5236702fda800e
SHA256

6c716a49ea22e7d028ccde485d5c4ddc236369c9b60eedd3602d0172d42a5b9c
SHA512

ad418c58ab787934b42420a5c43e0066f2732d5c9594f21496013931aaddca77bb4f39547dd7eb02e1aad3330d573bae72abf3e57cb4341e81da53f0e661b58d
SSDEEP

98304:eq/WT/VbNl7PAk96LpTVfCjENZvSHj/F9gY2lF/N:5uNndALpVfCj68Hx9l2L1

Score

7^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1948-60-0x0000000140000000-0x00000001408D9000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1948	Permanent_Loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	Permanent_Loader.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1768	1948	Permanent_Loader.exe	29
PID 1948 wrote to memory of 1768	1948	Permanent_Loader.exe	29
PID 1948 wrote to memory of 1768	1948	Permanent_Loader.exe	29
PID 1768 wrote to memory of 1804	1768	cmd.exe	30
PID 1768 wrote to memory of 1804	1768	cmd.exe	30
PID 1768 wrote to memory of 1804	1768	cmd.exe	30
PID 1768 wrote to memory of 1064	1768	cmd.exe	31
PID 1768 wrote to memory of 1064	1768	cmd.exe	31
PID 1768 wrote to memory of 1064	1768	cmd.exe	31
PID 1768 wrote to memory of 1324	1768	cmd.exe	32
PID 1768 wrote to memory of 1324	1768	cmd.exe	32
PID 1768 wrote to memory of 1324	1768	cmd.exe	32
PID 1948 wrote to memory of 1612	1948	Permanent_Loader.exe	33
PID 1948 wrote to memory of 1612	1948	Permanent_Loader.exe	33
PID 1948 wrote to memory of 1612	1948	Permanent_Loader.exe	33

C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Permanent_Loader.exe" MD5
    3⤵
    PID:1804
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1064
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1612

memory/1948-54-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/1948-55-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/1948-57-0x0000000077750000-0x0000000077752000-memory.dmp

Filesize
8KB

Download
memory/1948-58-0x0000000077750000-0x0000000077752000-memory.dmp

Filesize
8KB

Download
memory/1948-59-0x0000000077750000-0x0000000077752000-memory.dmp

Filesize
8KB

Download
memory/1948-60-0x0000000140000000-0x00000001408D9000-memory.dmp

Filesize
8.8MB

Download