849b1a63c8593ce5970e7026fdd70005a3067a5c27f783cf7b2d0babd413c572

Analysis

max time kernel
122s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 18:42

Target

0cbd353949ea2a0817a46eb36e609d13.exe
Size

61KB
MD5

0cbd353949ea2a0817a46eb36e609d13
SHA1

415687a7a5869c77737c940dd5c6ef003a5c4856
SHA256

849b1a63c8593ce5970e7026fdd70005a3067a5c27f783cf7b2d0babd413c572
SHA512

50cbaacc591796a8b15ef82e82b78d158320f6db8e9e059ffdb3380a4d7d81e444df063f8fd73beb389086d521ec9bd313fd083720c5e9a31570e80aaf4d2468
SSDEEP

1536:uLgucxdnFpJv1rV96Haz3YKVkNje+ODCPgMvp3P:uMuGFpXr26z3jkNjS3MZ

Score

7^/10

vmprotect

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2272	0cbd353949ea2a0817a46eb36e609d13.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x000a000000012256-1.dat	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bnsspx.dll	0cbd353949ea2a0817a46eb36e609d13.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	0cbd353949ea2a0817a46eb36e609d13.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2272	0cbd353949ea2a0817a46eb36e609d13.exe
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2272	0cbd353949ea2a0817a46eb36e609d13.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2972	2272	0cbd353949ea2a0817a46eb36e609d13.exe	30
PID 2272 wrote to memory of 2972	2272	0cbd353949ea2a0817a46eb36e609d13.exe	30
PID 2272 wrote to memory of 2972	2272	0cbd353949ea2a0817a46eb36e609d13.exe	30
PID 2272 wrote to memory of 2972	2272	0cbd353949ea2a0817a46eb36e609d13.exe	30

C:\Users\Admin\AppData\Local\Temp\0cbd353949ea2a0817a46eb36e609d13.exe
"C:\Users\Admin\AppData\Local\Temp\0cbd353949ea2a0817a46eb36e609d13.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\uisad.bat
  2⤵
  - Deletes itself
  PID:2972

C:\uisad.bat

Filesize
185B

MD5
b0bae2d28f3b696eaaa68e22252db321

SHA1
f77c20dae7f115a0f916943db175849a1b80926f

SHA256
fa456238c3369f32f98060e5ad4175c7e587f1a4f49e19d1af9994bdcbb34df1

SHA512
f21fd6124f0145dc771530d471663ecfdaf9e6d33c54c14dfd62b2ac2570feb3982cb168798300f9d159c8fe492fe1f03a530ad3d1e78223dc7115db7390b882

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
12KB

MD5
f19d996ffa3ad551c2298902e5bfc752

SHA1
a53d720be21cf235fa7af97b982c296707d0d54d

SHA256
1ae264ac12c9e787f166e25ccce794cb2938853d3b3a3a398f83295d455e69f2

SHA512
24980729193c7ecdd755d5f61e103d0f520f528ff616cfe96fffc9de5a601f38f2e803c21307d3e32d22c856df1fb547b557c65f4a3875d7b1d90118da3e4249

Download Submit