14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-08-2023 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
Size

1.8MB
MD5

b4152f43ee6f842cff2302aefe5eabef
SHA1

24f38f6c202e08ffb39e2d6135c2ec6ed78885fe
SHA256

14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765
SHA512

51b801bbab3bc0501ad0aedd30072714701dce19fe0f84331be3ff743221c015995f819c81d7baa31866184bf9b266990d57ec835488937d07876398cd595b72
SSDEEP

49152:jxv9f3RO2Pmm0/d3rCLokmzIi4xx8q0dYTJ:jbBPmmWr5xMYHo

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2440	Browser.exe

Loads dropped DLL 7 IoCs

pid	Process
2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
2440	Browser.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2748-54-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral1/memory/2748-63-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral1/files/0x0025000000015eae-73.dat	vmprotect
behavioral1/files/0x0025000000015eae-74.dat	vmprotect
behavioral1/memory/2440-75-0x0000000063CB0000-0x0000000064CB0000-memory.dmp	vmprotect
behavioral1/memory/2748-77-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect
behavioral1/memory/2748-78-0x0000000000400000-0x0000000000896000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	2440	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2748 wrote to memory of 2440	2748	14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe	28
PID 2440 wrote to memory of 2972	2440	Browser.exe	29
PID 2440 wrote to memory of 2972	2440	Browser.exe	29
PID 2440 wrote to memory of 2972	2440	Browser.exe	29
PID 2440 wrote to memory of 2972	2440	Browser.exe	29

C:\Users\Admin\AppData\Local\Temp\14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe
"C:\Users\Admin\AppData\Local\Temp\14a9face474f66456c37f4e95dd67dc6a35ab3b15549d9fca4d915fd7b39c765.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Public\Videos\3aDpo_8\Browser.exe
  C:\Users\Public\Videos\3aDpo_8\\Browser.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 228
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
C:\Users\Public\Videos\3aDpo_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
\Users\Public\Videos\3aDpo_8\Browser.exe

Filesize
529KB

MD5
a683bcd9e78f8b37dd5173fd92695a7d

SHA1
a40ef4c407c0c85318af6c8700a0bdc8b54de01a

SHA256
d4d63d20fb6aec60348b0a8d1b46086a26e00ed3d743badc93ba773722f18d9f

SHA512
c2a08dadb0f738476f9219f98d6e939548bf3a33b6c84ca1315cdfe181457250f4fed7195c31b11af14a20c9ac61908d403a896c6dd1654993e2c4c75cb27a37

Download Submit
\Users\Public\Videos\3aDpo_8\Foundation.dll

Filesize
377KB

MD5
6b7cca9be87e20e63ebf0c146d4fe48c

SHA1
ba46f42dec2f388546e21bd94e97a00baf1e9a21

SHA256
fb671a9ae58fb0e9e619f7646f00468cd94dce34e1d52cbe047be11d4cc7b1de

SHA512
a637d9c3408a5fbcbdd84fd05e72a5779ef95c94405afdced9632dde05feaf5424c7f4bc9c050c26335c86159ff429c28995b7c6cef1d068f81f8f28ffcbedf2

Download Submit
memory/2440-75-0x0000000063CB0000-0x0000000064CB0000-memory.dmp

Filesize
16.0MB

Download
memory/2748-63-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2748-77-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2748-78-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2748-65-0x00000000762A0000-0x00000000762A1000-memory.dmp

Filesize
4KB

Download
memory/2748-54-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2748-61-0x00000000762A0000-0x00000000762A1000-memory.dmp

Filesize
4KB

Download
memory/2748-57-0x0000000077A10000-0x0000000077A11000-memory.dmp

Filesize
4KB

Download
memory/2748-55-0x0000000077A10000-0x0000000077A11000-memory.dmp

Filesize
4KB

Download