dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 05:05

Target

56943fda4e1e5fb623bfde74d81b4659.exe
Size

144KB
MD5

56943fda4e1e5fb623bfde74d81b4659
SHA1

53cc932db48aaaae4b80e39b7efe00b6d8816046
SHA256

dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161
SHA512

54c831ff86a88cbd7ba08dc90d66ea77ac569fcbd229ef8e4bbbce6afb5d3041853ede0fe1dc448b087802ba7274d82692c6edf60f86e7e9b969b5191a11b825
SSDEEP

3072:iabbqevyyHDnla6YR0nArsclYQcqsaEupjnnto65X8mOKGEVa8d:i6W6LlPnAVzXE+ntFXgKGEVr

Score

7^/10

vmprotect

Executes dropped EXE 1 IoCs

pid	Process
2840	ayws.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4996-0-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral2/files/0x000400000001e630-4.dat	vmprotect
behavioral2/memory/2840-5-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral2/memory/4996-7-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral2/memory/2840-6-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral2/files/0x000400000001e630-3.dat	vmprotect
behavioral2/memory/4996-1-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect
behavioral2/memory/2840-8-0x0000000000400000-0x0000000000448000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ayws.exe	56943fda4e1e5fb623bfde74d81b4659.exe
File opened for modification	C:\Windows\SysWOW64\ayws.exe	56943fda4e1e5fb623bfde74d81b4659.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4996	56943fda4e1e5fb623bfde74d81b4659.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3384	4996	56943fda4e1e5fb623bfde74d81b4659.exe	20
PID 4996 wrote to memory of 3384	4996	56943fda4e1e5fb623bfde74d81b4659.exe	20
PID 4996 wrote to memory of 3384	4996	56943fda4e1e5fb623bfde74d81b4659.exe	20

C:\Users\Admin\AppData\Local\Temp\56943fda4e1e5fb623bfde74d81b4659.exe
"C:\Users\Admin\AppData\Local\Temp\56943fda4e1e5fb623bfde74d81b4659.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56943F~1.EXE > nul
  2⤵
  PID:3384

C:\Windows\SysWOW64\ayws.exe
C:\Windows\SysWOW64\ayws.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWOW64\ayws.exe

Filesize
144KB

MD5
56943fda4e1e5fb623bfde74d81b4659

SHA1
53cc932db48aaaae4b80e39b7efe00b6d8816046

SHA256
dc08ed32f50ce0d2109e580e911d46f1ac2f11327c64217ef97bc71dd07c3161

SHA512
54c831ff86a88cbd7ba08dc90d66ea77ac569fcbd229ef8e4bbbce6afb5d3041853ede0fe1dc448b087802ba7274d82692c6edf60f86e7e9b969b5191a11b825

Download Submit
C:\Windows\SysWOW64\ayws.exe

Filesize
85KB

MD5
e147cfe8f60e623edbf8313c087ea1b8

SHA1
f536eb65215e55be80a6a32c29a8fa2456cf9aaa

SHA256
b83fa64ea2a829afdcf40b8cfb9c88e739b8b224b95ac701b2f1012282866727

SHA512
601beb325e550c9a619af85cd02bc4e7498e037429dbe7a20db511c5d9cc5c610de01584d0d61972c0d77f5f01b26e849d4b966f0182e228fffeeb1b577961f2

Download Submit
memory/2840-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2840-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2840-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4996-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4996-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4996-1-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download