f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a

General

Target

f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
Size

9.9MB
MD5

bbe85507c3d30efe4e8ac3b2f7e0ac66
SHA1

90dd939e57b918c63c41052306f89bd57a5118e8
SHA256

f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a
SHA512

576b6b027d9f00a6f35d098a20e2c3ee3152e37b0015050dfb128bb4eab66ddbfeddeb4cd1e933805ba9d66f4071016188b4b0a557562d1bed5b2c722ffba26e
SSDEEP

196608:OkHYh3yx6GlD/3qsH0u51sKsb99zd4JwWziNdxiLnG57o246fiv3r1y:r6isGh1PTxsb/54JNiN4q7746qv35y

Score

7^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4680-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-54-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4680-0-0x0000000000400000-0x000000000167D000-memory.dmp	vmprotect
behavioral2/memory/4680-4-0x0000000000400000-0x000000000167D000-memory.dmp	vmprotect
behavioral2/memory/4680-42-0x0000000000400000-0x000000000167D000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 3088	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe	94
PID 4680 wrote to memory of 3088	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe	94
PID 4680 wrote to memory of 3088	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe	94
PID 4680 wrote to memory of 3056	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe	93
PID 4680 wrote to memory of 3056	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe	93
PID 4680 wrote to memory of 3056	4680	f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe	93

C:\Users\Admin\AppData\Local\Temp\f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe
"C:\Users\Admin\AppData\Local\Temp\f5c4e5f2762434c4bab88a05773de56b9f7db01da49e85b67da1f9a3eb1f425a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\cmd.exe
  cmd /C del / f / s / q %windir%\\temp\\*.log
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /C del / f / s / q %windir%\\prefetch\\*.*
  2⤵
  PID:3088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4680-0-0x0000000000400000-0x000000000167D000-memory.dmp

Filesize
18.5MB

Download
memory/4680-2-0x0000000001950000-0x0000000001951000-memory.dmp

Filesize
4KB

Download
memory/4680-1-0x0000000001930000-0x0000000001931000-memory.dmp

Filesize
4KB

Download
memory/4680-4-0x0000000000400000-0x000000000167D000-memory.dmp

Filesize
18.5MB

Download
memory/4680-5-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/4680-3-0x0000000001980000-0x0000000001981000-memory.dmp

Filesize
4KB

Download
memory/4680-6-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/4680-7-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/4680-8-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/4680-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-42-0x0000000000400000-0x000000000167D000-memory.dmp

Filesize
18.5MB

Download
memory/4680-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-54-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing