c8a40e8a075c7702f16de499dadbe7a8f437579eef39cf980835d111c8cdf173

General

Target

014653d6b17f29083cbb62debb2993fc.exe
Size

8.6MB
MD5

014653d6b17f29083cbb62debb2993fc
SHA1

710416458c5c0e75aa3d836d64d1f4da5f20b2c2
SHA256

c8a40e8a075c7702f16de499dadbe7a8f437579eef39cf980835d111c8cdf173
SHA512

3ecedcfa701541c3fd09f272863a11b39f7217fac86fd5d7b58340bba6fed31fac6bf763173a20cc1dff851d4f448dbadc1e04b26d84a70d833b31dd4468e48e
SSDEEP

196608:pyq4a9r9hPj5hKAeLykkEU7wiMPnH/ELax32OGgVVPqLp29Bn:pyqF15haLyjEU7wzPld2ePqc

Score

7^/10

vmprotect

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Executes dropped EXE 1 IoCs

pid	Process
2752	zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Loads dropped DLL 1 IoCs

pid	Process
2108	014653d6b17f29083cbb62debb2993fc.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000400000-0x00000000015DA000-memory.dmp	vmprotect
behavioral1/memory/2108-7-0x0000000000400000-0x00000000015DA000-memory.dmp	vmprotect
behavioral1/files/0x000b000000012243-15.dat	vmprotect
behavioral1/files/0x000b000000012243-18.dat	vmprotect
behavioral1/files/0x000b000000012243-19.dat	vmprotect
behavioral1/memory/2752-21-0x0000000000400000-0x00000000015DA000-memory.dmp	vmprotect
behavioral1/memory/2108-29-0x0000000000400000-0x00000000015DA000-memory.dmp	vmprotect
behavioral1/memory/2752-30-0x0000000000400000-0x00000000015DA000-memory.dmp	vmprotect
behavioral1/memory/2752-43-0x0000000000400000-0x00000000015DA000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	014653d6b17f29083cbb62debb2993fc.exe
2752	zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2108	014653d6b17f29083cbb62debb2993fc.exe
2108	014653d6b17f29083cbb62debb2993fc.exe
2752	zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos
2752	zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2752	2108	014653d6b17f29083cbb62debb2993fc.exe	28
PID 2108 wrote to memory of 2752	2108	014653d6b17f29083cbb62debb2993fc.exe	28
PID 2108 wrote to memory of 2752	2108	014653d6b17f29083cbb62debb2993fc.exe	28
PID 2108 wrote to memory of 2752	2108	014653d6b17f29083cbb62debb2993fc.exe	28

C:\Users\Admin\AppData\Local\Temp\014653d6b17f29083cbb62debb2993fc.exe
"C:\Users\Admin\AppData\Local\Temp\014653d6b17f29083cbb62debb2993fc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos
  C:\Users\Admin\AppData\Local\Temp\zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos C:\Users\Admin\AppData\Local\Temp\014653d6b17f29083cbb62debb2993fc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TuTuchk.ini

Filesize
44B

MD5
ba0e09c965ffb6ed9c44a6681cdfd6a5

SHA1
98f917d5ab77dcb5d4184de72398928aef6293a5

SHA256
e226424995984530eaa5630912db12694a9a3769e1335459522dad083f2358ac

SHA512
2c2f82a2a53c111fafce0d6d7c50306df5acedb0092199427194448134fd75be82664aaf03b92610a027b784ef7d70e378ef3094ea589782d270892fa2a4248d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Filesize
2.0MB

MD5
1e8c38e0c72cec085325e177e4f2b284

SHA1
9847e1b651e4da5788db75fff33e671f05cb67f1

SHA256
03ea1c678c74feea8fe8c244492ed3a3e61ee09d53409e206dd0cb0f6cc0f745

SHA512
03694e72756673b7670d5451d97269a39cfc501a2c5e7c35e3775d87276dd5e1d6bc2cc1a8ecd1d1f53421a11752931a58377fa25b8386992247ce7031525219

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Filesize
2.1MB

MD5
c1ca136ebe7ffb8103f652d041fc37f0

SHA1
646e0f2ac71b68d900f7fcce00cce4e3a55b5fbf

SHA256
6bd0cd18224598708423d8288d29527c50962b10fbb0a02cd009b4d986b8f8d4

SHA512
ccbc2c7b2fb454d642bff7fc66109e2e9145d7d28adb486a934983d0588536cfd66f2bc535cc44f7cca48373a47c5e6975c474aa6648de37adfb22f4bf148e4e

Download Submit
\Users\Admin\AppData\Local\Temp\zsdbfkbolxhzkdosvfkvhmvmikbspvtfdzgxpqiaeccsnbjdpm.ssltssldos

Filesize
1.2MB

MD5
84e7e7fbb356a81f003ab9254f20d934

SHA1
eadf0eab5f7f26a07e07fce80dd8858a8ec1d2f7

SHA256
81b7fa6a097c1774085860fa1cab3118d9a9062cb2b3cc137898e6a291f0d4e2

SHA512
f2706b30f40c73f995299a9b6007805694dc5c3fff2c4666405f105b907409d326a01fcd33ed55c99de896045863774cca3249ed1493592779f345983ce3ec80

Download Submit
memory/2108-7-0x0000000000400000-0x00000000015DA000-memory.dmp

Filesize
17.9MB

Download
memory/2108-13-0x00000000778D0000-0x00000000778D1000-memory.dmp

Filesize
4KB

Download
memory/2108-12-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2108-0-0x0000000000400000-0x00000000015DA000-memory.dmp

Filesize
17.9MB

Download
memory/2108-8-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2108-3-0x00000000778D0000-0x00000000778D1000-memory.dmp

Filesize
4KB

Download
memory/2108-20-0x00000000041C0000-0x000000000539A000-memory.dmp

Filesize
17.9MB

Download
memory/2108-29-0x0000000000400000-0x00000000015DA000-memory.dmp

Filesize
17.9MB

Download
memory/2108-1-0x00000000778D0000-0x00000000778D1000-memory.dmp

Filesize
4KB

Download
memory/2752-21-0x0000000000400000-0x00000000015DA000-memory.dmp

Filesize
17.9MB

Download
memory/2752-30-0x0000000000400000-0x00000000015DA000-memory.dmp

Filesize
17.9MB

Download
memory/2752-43-0x0000000000400000-0x00000000015DA000-memory.dmp

Filesize
17.9MB

Download

Analysis

Sharing