6b0ca847febfe93e219418db5cfd90b90c92567a9d8e79047d654a41bc6f2471

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 03:08

Target

714991e30ca905a85311eb53d6c02753.exe
Size

78KB
MD5

714991e30ca905a85311eb53d6c02753
SHA1

94a7b93e9cb051e97392797bad2b4aeaa99f8a51
SHA256

6b0ca847febfe93e219418db5cfd90b90c92567a9d8e79047d654a41bc6f2471
SHA512

d29c121a8509a6fca1b5c25db5d18009b266962153622a7433a2fae1d715d800a7a4caf2edb34c8f264812f9ae9ba7abeb2cb70f9d05c104356b8f315b5f725b
SSDEEP

1536:08tljw/btz4//CrxjhCPSUD4YPpNc5wQa6YnLtbWlNVbg/pJZz3pPRi/:tbehlwNBQa6sZcrAN3B

Score

7^/10

vmprotect

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	714991e30ca905a85311eb53d6c02753.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1220-0-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect
behavioral1/memory/1220-4-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Rymltqy.dll	714991e30ca905a85311eb53d6c02753.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1220	714991e30ca905a85311eb53d6c02753.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2784	1220	714991e30ca905a85311eb53d6c02753.exe	28
PID 1220 wrote to memory of 2784	1220	714991e30ca905a85311eb53d6c02753.exe	28
PID 1220 wrote to memory of 2784	1220	714991e30ca905a85311eb53d6c02753.exe	28
PID 1220 wrote to memory of 2784	1220	714991e30ca905a85311eb53d6c02753.exe	28

C:\Users\Admin\AppData\Local\Temp\714991e30ca905a85311eb53d6c02753.exe
"C:\Users\Admin\AppData\Local\Temp\714991e30ca905a85311eb53d6c02753.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\714991~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2784

\Windows\SysWOW64\Rymltqy.dll

Filesize
71KB

MD5
d9a0915eb425d011338cec421ab3e98e

SHA1
4c2549650cf9deb0a6c7e448c1ea2a741bf9143a

SHA256
341011114164914619cd729ae119a5222c9ad3702852763b0d1eb3f11041eaa2

SHA512
8dd2170cad5934a6231f4b0ef5d4a15fd77b7e168b4749a3a41b849d7f070103106c818e6e26d111d7ecc2a4f5eddd2c6f6e6b1e8291d40aa191adcdd2689422

Download Submit
memory/1220-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1220-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download