ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7

General

Target

ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
Size

12.4MB
MD5

cf53d66004b4c6ab45fb4a80a2f0f775
SHA1

5bc0e3a99580f6d290ae961b5ade47ac51994980
SHA256

ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7
SHA512

eb9603551596469e207fdbd2e03c09c8a984f3c2569cd1bc28eda710a77a65fa28cecbeeebf7ecfdbddeb36ae702f4147720e3d8e52c3f9c4270034b90594e44
SSDEEP

393216:/ZaOtcKNdpN8+8QFV2Vr5sjqQNRvv40TFV2F/5lL3Y:/PjFNn86IlTQNRJWjL3Y

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	Uninstall64.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1712-4-0x000000013F090000-0x00000001407BF000-memory.dmp	vmprotect
behavioral1/memory/1712-37-0x000000013F090000-0x00000001407BF000-memory.dmp	vmprotect
behavioral1/memory/2756-51-0x0000000180000000-0x0000000180E67000-memory.dmp	vmprotect
behavioral1/memory/2756-56-0x0000000180000000-0x0000000180E67000-memory.dmp	vmprotect
behavioral1/memory/2756-62-0x0000000180000000-0x0000000180E67000-memory.dmp	vmprotect
behavioral1/memory/1712-65-0x000000013F090000-0x00000001407BF000-memory.dmp	vmprotect
behavioral1/memory/2756-67-0x0000000180000000-0x0000000180E67000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	Uninstall64.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2756	1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe	28
PID 1712 wrote to memory of 2756	1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe	28
PID 1712 wrote to memory of 2756	1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe	28
PID 1712 wrote to memory of 2756	1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe	28
PID 1712 wrote to memory of 2756	1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe	28
PID 1712 wrote to memory of 2756	1712	ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe	28

C:\Users\Admin\AppData\Local\Temp\ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe
"C:\Users\Admin\AppData\Local\Temp\ebc0a23966c792adccd685ca6b844ddfdd41cf5c618cd8bc20eac34cea9358b7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Uninstall64.exe
  C:\Users\Admin\AppData\Local\Temp\Uninstall64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uninstall64.exe

Filesize
489KB

MD5
cc8d09544f0a963fbc81c24b2237870e

SHA1
c5a2e59803feec165641c4253ed7471ba38e28d5

SHA256
654573bf549cc532b4d43dc4af95c4363e7f2843fc01c74367d3dc9adf42522a

SHA512
c5ca3f232e978efab948c60bfdc47318f7bc5db991adf76183f427814078bbc04244d75f3945eca39c78bcda5809f5f175eb8187b18b724f697d6adfc2ada220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall64.exe

Filesize
489KB

MD5
cc8d09544f0a963fbc81c24b2237870e

SHA1
c5a2e59803feec165641c4253ed7471ba38e28d5

SHA256
654573bf549cc532b4d43dc4af95c4363e7f2843fc01c74367d3dc9adf42522a

SHA512
c5ca3f232e978efab948c60bfdc47318f7bc5db991adf76183f427814078bbc04244d75f3945eca39c78bcda5809f5f175eb8187b18b724f697d6adfc2ada220

Download Submit
\Users\Admin\AppData\Local\Temp\Uninstall64.exe

Filesize
489KB

MD5
cc8d09544f0a963fbc81c24b2237870e

SHA1
c5a2e59803feec165641c4253ed7471ba38e28d5

SHA256
654573bf549cc532b4d43dc4af95c4363e7f2843fc01c74367d3dc9adf42522a

SHA512
c5ca3f232e978efab948c60bfdc47318f7bc5db991adf76183f427814078bbc04244d75f3945eca39c78bcda5809f5f175eb8187b18b724f697d6adfc2ada220

Download Submit
memory/1712-30-0x000007FEFD230000-0x000007FEFD232000-memory.dmp

Filesize
8KB

Download
memory/1712-25-0x000007FEFD220000-0x000007FEFD222000-memory.dmp

Filesize
8KB

Download
memory/1712-31-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/1712-10-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/1712-11-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/1712-13-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/1712-15-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/1712-16-0x00000000774D0000-0x00000000774D2000-memory.dmp

Filesize
8KB

Download
memory/1712-18-0x00000000774D0000-0x00000000774D2000-memory.dmp

Filesize
8KB

Download
memory/1712-20-0x00000000774D0000-0x00000000774D2000-memory.dmp

Filesize
8KB

Download
memory/1712-23-0x000007FEFD220000-0x000007FEFD222000-memory.dmp

Filesize
8KB

Download
memory/1712-2-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1712-28-0x000007FEFD230000-0x000007FEFD232000-memory.dmp

Filesize
8KB

Download
memory/1712-0-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1712-6-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/1712-36-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1712-8-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/1712-35-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/1712-37-0x000000013F090000-0x00000001407BF000-memory.dmp

Filesize
23.2MB

Download
memory/1712-5-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1712-33-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/1712-66-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1712-65-0x000000013F090000-0x00000001407BF000-memory.dmp

Filesize
23.2MB

Download
memory/1712-4-0x000000013F090000-0x00000001407BF000-memory.dmp

Filesize
23.2MB

Download
memory/2756-67-0x0000000180000000-0x0000000180E67000-memory.dmp

Filesize
14.4MB

Download
memory/2756-56-0x0000000180000000-0x0000000180E67000-memory.dmp

Filesize
14.4MB

Download
memory/2756-62-0x0000000180000000-0x0000000180E67000-memory.dmp

Filesize
14.4MB

Download
memory/2756-51-0x0000000180000000-0x0000000180E67000-memory.dmp

Filesize
14.4MB

Download
memory/2756-49-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2756-45-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2756-44-0x0000000000170000-0x000000000074D000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing