d5c11868d1f270ad17395f5f5332e6ed505ff56294932627c266c2dbc2b6ec5f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 01:04

Target

1f0d516882852f1d18f5f0723cf30d14.exe
Size

2.6MB
MD5

1f0d516882852f1d18f5f0723cf30d14
SHA1

b80cf1c81498336dbf6c81bfe32bc3546ea2dfd8
SHA256

d5c11868d1f270ad17395f5f5332e6ed505ff56294932627c266c2dbc2b6ec5f
SHA512

535f590c0c9fa2801296a673185a4cd6d7d06400e41b1455d9e82f01834b9244d1d81922e0d894dacf278c48702f2314a588525f0b017041869c7df8a12db042
SSDEEP

49152:pylrGmYSKQt6PLXvpG21/CdPquHHnB2hX3hdop/YuLDN:Yp/YXQt6D/pDCPpHnShdoOm

Score

7^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1016-2-0x0000000000F40000-0x00000000016B9000-memory.dmp	vmprotect
behavioral1/memory/1016-10-0x0000000000F40000-0x00000000016B9000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1016	1f0d516882852f1d18f5f0723cf30d14.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2088	1016	1f0d516882852f1d18f5f0723cf30d14.exe	29
PID 1016 wrote to memory of 2088	1016	1f0d516882852f1d18f5f0723cf30d14.exe	29
PID 1016 wrote to memory of 2088	1016	1f0d516882852f1d18f5f0723cf30d14.exe	29
PID 1016 wrote to memory of 2088	1016	1f0d516882852f1d18f5f0723cf30d14.exe	29
PID 1016 wrote to memory of 2220	1016	1f0d516882852f1d18f5f0723cf30d14.exe	30
PID 1016 wrote to memory of 2220	1016	1f0d516882852f1d18f5f0723cf30d14.exe	30
PID 1016 wrote to memory of 2220	1016	1f0d516882852f1d18f5f0723cf30d14.exe	30
PID 1016 wrote to memory of 2220	1016	1f0d516882852f1d18f5f0723cf30d14.exe	30
PID 1016 wrote to memory of 2204	1016	1f0d516882852f1d18f5f0723cf30d14.exe	31
PID 1016 wrote to memory of 2204	1016	1f0d516882852f1d18f5f0723cf30d14.exe	31
PID 1016 wrote to memory of 2204	1016	1f0d516882852f1d18f5f0723cf30d14.exe	31
PID 1016 wrote to memory of 2204	1016	1f0d516882852f1d18f5f0723cf30d14.exe	31

C:\Users\Admin\AppData\Local\Temp\1f0d516882852f1d18f5f0723cf30d14.exe
"C:\Users\Admin\AppData\Local\Temp\1f0d516882852f1d18f5f0723cf30d14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c color 06
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0C
  2⤵
  PID:2204

memory/1016-2-0x0000000000F40000-0x00000000016B9000-memory.dmp

Filesize
7.5MB

Download
memory/1016-0-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1016-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1016-5-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1016-6-0x0000000077B80000-0x0000000077B81000-memory.dmp

Filesize
4KB

Download
memory/1016-10-0x0000000000F40000-0x00000000016B9000-memory.dmp

Filesize
7.5MB

Download