363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-09-2023 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe
Size

8.9MB
MD5

fa17412e34cb099a53a58fa9345eafda
SHA1

47487bdc4ad785b5335c6b1e303d81142febde47
SHA256

363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676
SHA512

f8f88ec3856173656207bdaf755c461242d1262b36c285d7e07974d4616dc1ab278b5349b729405d2dc5ba5b4607f766ac5d7cdd624a71d53f638a7bd7978017
SSDEEP

196608:YiFi/efETAkIX64eteN5k45dV77sDTAuhqTPhgdaOCkG22O:1yewIKs5H+AthXOfGDO

Score

7^/10

upx vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	GSOBLGCUWEORAIT.dll

Loads dropped DLL 1 IoCs

pid	Process
3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2824-54-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/2824-55-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/2824-57-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-58-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-59-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-61-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-63-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-65-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-69-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-72-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-74-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-76-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-78-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-82-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-85-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-88-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-91-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-94-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-97-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-101-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-105-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-108-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-111-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-113-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-115-0x00000000039B0000-0x00000000039EE000-memory.dmp	upx
behavioral1/memory/2824-116-0x0000000010000000-0x0000000010018000-memory.dmp	upx

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x003000000001627d-3.dat	vmprotect
behavioral1/files/0x003000000001627d-6.dat	vmprotect
behavioral1/files/0x003000000001627d-7.dat	vmprotect
behavioral1/memory/2824-8-0x0000000000400000-0x0000000001393000-memory.dmp	vmprotect
behavioral1/memory/2824-12-0x0000000000400000-0x0000000001393000-memory.dmp	vmprotect
behavioral1/memory/2824-51-0x0000000000400000-0x0000000001393000-memory.dmp	vmprotect
behavioral1/memory/2824-67-0x0000000000400000-0x0000000001393000-memory.dmp	vmprotect
behavioral1/memory/2824-117-0x0000000000400000-0x0000000001393000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2824	GSOBLGCUWEORAIT.dll

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AWMMark.ini	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2824	GSOBLGCUWEORAIT.dll
2824	GSOBLGCUWEORAIT.dll
2824	GSOBLGCUWEORAIT.dll

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe
3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe
2824	GSOBLGCUWEORAIT.dll
2824	GSOBLGCUWEORAIT.dll
2824	GSOBLGCUWEORAIT.dll

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2824	3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe	28
PID 3020 wrote to memory of 2824	3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe	28
PID 3020 wrote to memory of 2824	3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe	28
PID 3020 wrote to memory of 2824	3020	363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe	28

C:\Users\Admin\AppData\Local\Temp\363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe
"C:\Users\Admin\AppData\Local\Temp\363e77ab09bf93b2f7b1905cc84aa777f9fddc058c142d09d4b8bdbd5b5e0676.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\GSOBLGCUWEORAIT.dll
  C:\Users\Admin\AppData\Local\Temp\GSOBLGCUWEORAIT.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GSOBLGCUWEORAIT.dll

Filesize
8.2MB

MD5
9d57e17694f7c29be7443a3fa7e3a7b2

SHA1
2e61d88da48ccf5d4a0aa6b0b75edda10a3c2e64

SHA256
79478cd1a78e01955b9b050fc0e04fad2aae1ca2b6f634cc4bdb664c3a3079cf

SHA512
1d3e85854383e7f345fa3f4899a4cb4e9c146c7915b8f53858aa39aa5d0c976d62dd6c929dda396ffa16547e2bcd4496588c71c93ea81d0c389160813bf3480a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSOBLGCUWEORAIT.dll

Filesize
8.2MB

MD5
9d57e17694f7c29be7443a3fa7e3a7b2

SHA1
2e61d88da48ccf5d4a0aa6b0b75edda10a3c2e64

SHA256
79478cd1a78e01955b9b050fc0e04fad2aae1ca2b6f634cc4bdb664c3a3079cf

SHA512
1d3e85854383e7f345fa3f4899a4cb4e9c146c7915b8f53858aa39aa5d0c976d62dd6c929dda396ffa16547e2bcd4496588c71c93ea81d0c389160813bf3480a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaynb666.ini

Filesize
79B

MD5
144094ee06a04f1ef3b5236910cf9b2c

SHA1
f128685020939d223b4bce7bf83802881e487e78

SHA256
af0b2d7be8265165474f15ef274e079adc8e3224be018b0f521b68f37272887d

SHA512
82676134348a2ab0368151dc92bf185942c2e8f31c6078f494d8fd8b035062b28ebb8e1668b173bd2d3bedf6f7cc98851d339db875a7865bc1540977ade83c50

Download Submit
\Users\Admin\AppData\Local\Temp\GSOBLGCUWEORAIT.dll

Filesize
8.2MB

MD5
9d57e17694f7c29be7443a3fa7e3a7b2

SHA1
2e61d88da48ccf5d4a0aa6b0b75edda10a3c2e64

SHA256
79478cd1a78e01955b9b050fc0e04fad2aae1ca2b6f634cc4bdb664c3a3079cf

SHA512
1d3e85854383e7f345fa3f4899a4cb4e9c146c7915b8f53858aa39aa5d0c976d62dd6c929dda396ffa16547e2bcd4496588c71c93ea81d0c389160813bf3480a

Download Submit
memory/2824-8-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2824-9-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2824-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2824-12-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2824-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2824-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2824-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2824-19-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2824-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2824-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2824-27-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/2824-29-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/2824-34-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2824-32-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2824-37-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/2824-39-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/2824-40-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/2824-42-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/2824-44-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/2824-46-0x00000000774E0000-0x00000000774E1000-memory.dmp

Filesize
4KB

Download
memory/2824-45-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/2824-48-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/2824-50-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/2824-51-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2824-54-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2824-55-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2824-57-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-58-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-59-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-61-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-63-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-65-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-67-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2824-69-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-72-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-74-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-76-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-78-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-82-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-85-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-88-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-91-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-94-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-97-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-101-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-105-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-108-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-111-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-113-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-115-0x00000000039B0000-0x00000000039EE000-memory.dmp

Filesize
248KB

Download
memory/2824-116-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2824-117-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download