994349fcb9ddb3b5f595392613f13e939af373521de9ceba27b8361a60d8b72a

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 09:11

Target

NEAS.75ca897388b8977dbf96d67a06be4c80.exe
Size

3.6MB
MD5

75ca897388b8977dbf96d67a06be4c80
SHA1

683d1f6de6aa20f47fe70edb110f73fa8aea3d7a
SHA256

994349fcb9ddb3b5f595392613f13e939af373521de9ceba27b8361a60d8b72a
SHA512

aa73bcf7fde7f60d9133d471c36be56871135a42d7ee92dcb43e7a70f1752ae21e5d1c6d92512a469e3f306d1486b829decdc45850c86284f297ecc53651435f
SSDEEP

98304:ewc3evzvh7phFW/Qwk8khbNqk9mgHdk6mjJvoeJp:ewcipFW/Qw7ob0gH6NJ1

Score

7^/10

vmprotect

Executes dropped EXE 1 IoCs

pid	Process
3136	vmyqwngrnzem.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4196-0-0x0000000000400000-0x00000000008CE000-memory.dmp	vmprotect
behavioral2/files/0x0006000000022e10-4.dat	vmprotect
behavioral2/files/0x0006000000022e10-5.dat	vmprotect
behavioral2/memory/3136-6-0x0000000000400000-0x00000000008CE000-memory.dmp	vmprotect

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\gzwdxece\vmyqwngrnzem.exe	NEAS.75ca897388b8977dbf96d67a06be4c80.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 3136	4196	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	89
PID 4196 wrote to memory of 3136	4196	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	89
PID 4196 wrote to memory of 3136	4196	NEAS.75ca897388b8977dbf96d67a06be4c80.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.75ca897388b8977dbf96d67a06be4c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.75ca897388b8977dbf96d67a06be4c80.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files (x86)\gzwdxece\vmyqwngrnzem.exe
  "C:\Program Files (x86)\gzwdxece\vmyqwngrnzem.exe"
  2⤵
  - Executes dropped EXE
  PID:3136

C:\Program Files (x86)\gzwdxece\vmyqwngrnzem.exe

Filesize
3.6MB

MD5
d7e9b9551f5a474bd02b5a70c1591cbd

SHA1
fda8c0c0cbf58dc9011f9af26b61a3533b6e3254

SHA256
0c822c99aa4928522d76d6d84a235f3ac0e7f49b7f926d15f35dc3ffa663ecce

SHA512
62683890d8ccf888f9e043ebc788e69b9b19670f0b636faf0691cdebb97b07c9a3378db2b41c8af446c7e44f42f88b39bf52b6ba457cf40d4ea26a8444e00683

Download Submit
C:\Program Files (x86)\gzwdxece\vmyqwngrnzem.exe

Filesize
3.6MB

MD5
d7e9b9551f5a474bd02b5a70c1591cbd

SHA1
fda8c0c0cbf58dc9011f9af26b61a3533b6e3254

SHA256
0c822c99aa4928522d76d6d84a235f3ac0e7f49b7f926d15f35dc3ffa663ecce

SHA512
62683890d8ccf888f9e043ebc788e69b9b19670f0b636faf0691cdebb97b07c9a3378db2b41c8af446c7e44f42f88b39bf52b6ba457cf40d4ea26a8444e00683

Download Submit
memory/3136-6-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/4196-0-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download