d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe
Size

7.6MB
MD5

66695cdbe8004e146325649b87fc965d
SHA1

2b146ee021791cb8a6c14365633c591831e4d2f8
SHA256

d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0
SHA512

f603cd20640eb71a9eb084e4da7ce5282b75e5ed9cda353ccca4ce584ef632f5be32b0accb3e21d8c7bb6573ac989043e1cf4fe3e3bcb124f0b2e3a4c9381215
SSDEEP

98304:qdnDUKApiZfKUrT9Iipm+Wzn5GLcZJrRsXVXckehQM5oyXeRefyKKgAvtfvo3v78:qdDUu36ito5GLcHOEQbyXeFVZvMHA

Score

7^/10

upx vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1456-12-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/1456-14-0x0000000000250000-0x000000000025B000-memory.dmp	upx
behavioral1/memory/1456-28-0x0000000000250000-0x000000000025B000-memory.dmp	upx
behavioral1/memory/2896-34-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2896-35-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2896-37-0x0000000000270000-0x000000000027B000-memory.dmp	upx
behavioral1/memory/2896-40-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2896-41-0x0000000000270000-0x000000000027B000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1456-0-0x0000000000400000-0x00000000013F4000-memory.dmp	vmprotect
behavioral1/memory/1456-9-0x0000000000400000-0x00000000013F4000-memory.dmp	vmprotect
behavioral1/files/0x0001000000000026-20.dat	vmprotect
behavioral1/files/0x0001000000000026-19.dat	vmprotect
behavioral1/memory/1456-26-0x0000000000400000-0x00000000013F4000-memory.dmp	vmprotect
behavioral1/memory/2896-32-0x0000000000400000-0x00000000013F4000-memory.dmp	vmprotect
behavioral1/memory/2896-39-0x0000000000400000-0x00000000013F4000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe
2896	svchost.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe
1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe
2896	svchost.exe
2896	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2896	1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe	28
PID 1456 wrote to memory of 2896	1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe	28
PID 1456 wrote to memory of 2896	1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe	28
PID 1456 wrote to memory of 2896	1456	d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe	28

C:\Users\Admin\AppData\Local\Temp\d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe
"C:\Users\Admin\AppData\Local\Temp\d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- F:\svchost.exe
  F:\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

F:\svchost.exe

Filesize
7.6MB

MD5
66695cdbe8004e146325649b87fc965d

SHA1
2b146ee021791cb8a6c14365633c591831e4d2f8

SHA256
d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0

SHA512
f603cd20640eb71a9eb084e4da7ce5282b75e5ed9cda353ccca4ce584ef632f5be32b0accb3e21d8c7bb6573ac989043e1cf4fe3e3bcb124f0b2e3a4c9381215

Download Submit
F:\svchost.exe

Filesize
7.6MB

MD5
66695cdbe8004e146325649b87fc965d

SHA1
2b146ee021791cb8a6c14365633c591831e4d2f8

SHA256
d4baae26607f61437272254e7b207378f42586efd84e901e1ca7661cbc06a4a0

SHA512
f603cd20640eb71a9eb084e4da7ce5282b75e5ed9cda353ccca4ce584ef632f5be32b0accb3e21d8c7bb6573ac989043e1cf4fe3e3bcb124f0b2e3a4c9381215

Download Submit
memory/1456-12-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1456-26-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/1456-9-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/1456-0-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/1456-14-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/1456-15-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1456-3-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1456-21-0x0000000003500000-0x00000000044F4000-memory.dmp

Filesize
16.0MB

Download
memory/1456-1-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1456-7-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/1456-28-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/2896-32-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/2896-34-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2896-35-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2896-37-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2896-38-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2896-39-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/2896-40-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2896-41-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download