42b6039b1b34b619b8b3080e75f58b1ad6d37b8f87c53cb13b7fcbf01fb055af

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 23:05

Target

NEAS.54ecf3b1b54e1545932d192028062920.exe
Size

4.7MB
MD5

54ecf3b1b54e1545932d192028062920
SHA1

d2e782948ee072123c050d8effeac7bfbb9fa1db
SHA256

42b6039b1b34b619b8b3080e75f58b1ad6d37b8f87c53cb13b7fcbf01fb055af
SHA512

3777bcc8b8a549347c65a5e8ab384f681daf6cd5f57811e37452406c2ce3bbe7b55d4fc2fcdd7db0a7031029ce272d9af8454a6b75d32782bfd648a189b272a7
SSDEEP

98304:x8heRxSeOzLBbDDLPS3Y42u1y8Hnkbv7gfATaJfxREYLT9:iGSFzNbDDW3curkbv73aXRJLT9

Score

7^/10

vmprotect

Executes dropped EXE 1 IoCs

pid	Process
2020	nplptbz.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/408-0-0x0000000000400000-0x0000000000924000-memory.dmp	vmprotect
behavioral2/files/0x0006000000022e19-4.dat	vmprotect
behavioral2/files/0x0006000000022e19-5.dat	vmprotect
behavioral2/memory/2020-6-0x0000000000400000-0x0000000000924000-memory.dmp	vmprotect

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hkvwtded\nplptbz.exe	NEAS.54ecf3b1b54e1545932d192028062920.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 2020	408	NEAS.54ecf3b1b54e1545932d192028062920.exe	87
PID 408 wrote to memory of 2020	408	NEAS.54ecf3b1b54e1545932d192028062920.exe	87
PID 408 wrote to memory of 2020	408	NEAS.54ecf3b1b54e1545932d192028062920.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.54ecf3b1b54e1545932d192028062920.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.54ecf3b1b54e1545932d192028062920.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files (x86)\hkvwtded\nplptbz.exe
  "C:\Program Files (x86)\hkvwtded\nplptbz.exe"
  2⤵
  - Executes dropped EXE
  PID:2020

C:\Program Files (x86)\hkvwtded\nplptbz.exe

Filesize
4.7MB

MD5
63beed78a8b23e8b816729cc464415f1

SHA1
9436c8524e0343a863982a387a3dda7e15f94bb5

SHA256
8daeb574ea46f182c9e0f733258e2c86513cd9ef2d1bc21d0b1cd5f0d1ee9f89

SHA512
c7542237cb3e11da471a3b35124e5372078162ab834250a11c4fc4b00315afc2f8227a4faf0601663024450ae97876e0bd6f27c59747309776d310d26a46301d

Download Submit
C:\Program Files (x86)\hkvwtded\nplptbz.exe

Filesize
4.7MB

MD5
63beed78a8b23e8b816729cc464415f1

SHA1
9436c8524e0343a863982a387a3dda7e15f94bb5

SHA256
8daeb574ea46f182c9e0f733258e2c86513cd9ef2d1bc21d0b1cd5f0d1ee9f89

SHA512
c7542237cb3e11da471a3b35124e5372078162ab834250a11c4fc4b00315afc2f8227a4faf0601663024450ae97876e0bd6f27c59747309776d310d26a46301d

Download Submit
memory/408-0-0x0000000000400000-0x0000000000924000-memory.dmp

Filesize
5.1MB

Download
memory/2020-6-0x0000000000400000-0x0000000000924000-memory.dmp

Filesize
5.1MB

Download