3f47a4bb6db9f8f926a9f754f475d00ffa39238bc331c61b91c97b65ce76f1a8

General

Target

31669d6dd136f2f3d2dcce5944318e64.exe
Size

4.4MB
MD5

31669d6dd136f2f3d2dcce5944318e64
SHA1

bd9efa11e0085a55c3f9102c6a811fcd26e1f79a
SHA256

3f47a4bb6db9f8f926a9f754f475d00ffa39238bc331c61b91c97b65ce76f1a8
SHA512

bdb63cc1638231682629addf32fb9de51257c46401a170a2f700ea288584b8cc53864bfd44cf81c1fef202e30018209437bfde60834ced84c61fe96d54eb3654
SSDEEP

98304:lqs7WQUP+Mxzy8RjJ+6qKgv9dAdw+EKnU3pO9uCon:wsCQy+N8RjJUKO9dagRZOg

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	palq.exe

Loads dropped DLL 1 IoCs

pid	Process
640	31669d6dd136f2f3d2dcce5944318e64.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/640-2-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral1/files/0x0009000000014738-43.dat	vmprotect
behavioral1/memory/640-44-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral1/memory/2716-47-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral1/memory/2716-50-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral1/memory/2716-84-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect
behavioral1/memory/640-5-0x0000000000400000-0x0000000000AFC000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
640	31669d6dd136f2f3d2dcce5944318e64.exe
2716	palq.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
640	31669d6dd136f2f3d2dcce5944318e64.exe
640	31669d6dd136f2f3d2dcce5944318e64.exe
2716	palq.exe
2716	palq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2716	640	31669d6dd136f2f3d2dcce5944318e64.exe	28
PID 640 wrote to memory of 2716	640	31669d6dd136f2f3d2dcce5944318e64.exe	28
PID 640 wrote to memory of 2716	640	31669d6dd136f2f3d2dcce5944318e64.exe	28
PID 640 wrote to memory of 2716	640	31669d6dd136f2f3d2dcce5944318e64.exe	28

C:\Users\Admin\AppData\Local\Temp\31669d6dd136f2f3d2dcce5944318e64.exe
"C:\Users\Admin\AppData\Local\Temp\31669d6dd136f2f3d2dcce5944318e64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\pivl\palq.exe
  "C:\Users\Admin\AppData\Local\Temp\pivl\palq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pivl\palq.exe

Filesize
4.4MB

MD5
a32b9f14c917f5a68366397f0ab9899d

SHA1
207c59148328b86415985e2383107944dab7c007

SHA256
286dfa2a68f24efb71fc7762a3abcdbe89cbefc87628c24339131f2c9959c9c6

SHA512
76250d58cede9076f798ab90421ed6f26d18bb02d5b573ee714a3a4df9512e4be8141a68af888bdda0cccf5b9d9500db04b00ddbc1632f8f9cf7460df7d630b7

Download Submit
memory/640-16-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/640-26-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/640-31-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/640-36-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/640-34-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/640-32-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/640-29-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/640-2-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/640-44-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/640-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/640-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/640-21-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/640-19-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/640-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/640-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/640-9-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/640-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/640-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/640-5-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/640-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2716-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-59-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2716-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-54-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-51-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-50-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/2716-61-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2716-84-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download
memory/2716-47-0x0000000000400000-0x0000000000AFC000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing