994349fcb9ddb3b5f595392613f13e939af373521de9ceba27b8361a60d8b72a

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 09:11

Target

NEAS.75ca897388b8977dbf96d67a06be4c80.exe
Size

3.6MB
MD5

75ca897388b8977dbf96d67a06be4c80
SHA1

683d1f6de6aa20f47fe70edb110f73fa8aea3d7a
SHA256

994349fcb9ddb3b5f595392613f13e939af373521de9ceba27b8361a60d8b72a
SHA512

aa73bcf7fde7f60d9133d471c36be56871135a42d7ee92dcb43e7a70f1752ae21e5d1c6d92512a469e3f306d1486b829decdc45850c86284f297ecc53651435f
SSDEEP

98304:ewc3evzvh7phFW/Qwk8khbNqk9mgHdk6mjJvoeJp:ewcipFW/Qw7ob0gH6NJ1

Score

7^/10

vmprotect

Executes dropped EXE 1 IoCs

pid	Process
2340	apadken.exe

Loads dropped DLL 1 IoCs

pid	Process
852	NEAS.75ca897388b8977dbf96d67a06be4c80.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/852-0-0x0000000000400000-0x00000000008CE000-memory.dmp	vmprotect
behavioral1/files/0x00070000000120b7-3.dat	vmprotect
behavioral1/files/0x00070000000120b7-6.dat	vmprotect
behavioral1/memory/2340-7-0x0000000000400000-0x00000000008CE000-memory.dmp	vmprotect

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\vuqrprqs\apadken.exe	NEAS.75ca897388b8977dbf96d67a06be4c80.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2340	852	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	28
PID 852 wrote to memory of 2340	852	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	28
PID 852 wrote to memory of 2340	852	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	28
PID 852 wrote to memory of 2340	852	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.75ca897388b8977dbf96d67a06be4c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.75ca897388b8977dbf96d67a06be4c80.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\vuqrprqs\apadken.exe
  "C:\Program Files (x86)\vuqrprqs\apadken.exe"
  2⤵
  - Executes dropped EXE
  PID:2340

C:\Program Files (x86)\vuqrprqs\apadken.exe

Filesize
3.6MB

MD5
85b200bb29194e3ddd1b70ad9d17cca5

SHA1
53ec3b37d3642870591d83bc9e7ecf71b66aff19

SHA256
fc50b5b865b519a9788ce19d552065a1b4dabd465f8bf4e41da805dec1b832ab

SHA512
09df5570f7ccf10360a675497bf1ef6fec7e017dca8961c5a6848186180bf610f8642633039a772cb7ada5e9f032c34dec26a8923127e02bea8589b992c77cbd

Download Submit
\Program Files (x86)\vuqrprqs\apadken.exe

Filesize
3.6MB

MD5
85b200bb29194e3ddd1b70ad9d17cca5

SHA1
53ec3b37d3642870591d83bc9e7ecf71b66aff19

SHA256
fc50b5b865b519a9788ce19d552065a1b4dabd465f8bf4e41da805dec1b832ab

SHA512
09df5570f7ccf10360a675497bf1ef6fec7e017dca8961c5a6848186180bf610f8642633039a772cb7ada5e9f032c34dec26a8923127e02bea8589b992c77cbd

Download Submit
memory/852-0-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2340-7-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download