dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161

Analysis

max time kernel
123s
max time network
133s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 05:05

Target

56943fda4e1e5fb623bfde74d81b4659.exe
Size

144KB
MD5

56943fda4e1e5fb623bfde74d81b4659
SHA1

53cc932db48aaaae4b80e39b7efe00b6d8816046
SHA256

dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161
SHA512

54c831ff86a88cbd7ba08dc90d66ea77ac569fcbd229ef8e4bbbce6afb5d3041853ede0fe1dc448b087802ba7274d82692c6edf60f86e7e9b969b5191a11b825
SSDEEP

3072:iabbqevyyHDnla6YR0nArsclYQcqsaEupjnnto65X8mOKGEVa8d:i6W6LlPnAVzXE+ntFXgKGEVr

Score

7^/10

vmprotect

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	miuy.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral1/memory/2348-7-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral1/memory/2388-6-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral1/memory/2388-5-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral1/memory/2388-8-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\miuy.exe	56943fda4e1e5fb623bfde74d81b4659.exe
File opened for modification	C:\Windows\SysWOW64\miuy.exe	56943fda4e1e5fb623bfde74d81b4659.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	56943fda4e1e5fb623bfde74d81b4659.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2864	2348	56943fda4e1e5fb623bfde74d81b4659.exe	15
PID 2348 wrote to memory of 2864	2348	56943fda4e1e5fb623bfde74d81b4659.exe	15
PID 2348 wrote to memory of 2864	2348	56943fda4e1e5fb623bfde74d81b4659.exe	15
PID 2348 wrote to memory of 2864	2348	56943fda4e1e5fb623bfde74d81b4659.exe	15

C:\Users\Admin\AppData\Local\Temp\56943fda4e1e5fb623bfde74d81b4659.exe
"C:\Users\Admin\AppData\Local\Temp\56943fda4e1e5fb623bfde74d81b4659.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56943F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2864

C:\Windows\SysWOW64\miuy.exe
C:\Windows\SysWOW64\miuy.exe
1⤵
- Executes dropped EXE
PID:2388

memory/2348-1-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2348-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download