d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:44

Target

d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe
Size

5.2MB
MD5

1539f25069e9236e9154e46691979c25
SHA1

04bf3c30d6810279c8f962c8550a49738b8e8394
SHA256

d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77
SHA512

ab13f3ce73606f13ee272febdc5a016b2b78b780c19b0b84fd97ab0a680421af3e0ca3f551c2f5d927133cce6d7204be59148612defc8869a61f828385bd8e3d
SSDEEP

98304:ewc3evzvh7phFW/Qwk8khbNqk9mgHdk6K1bDrlTD91a/PdC9F9RVN9:ewcipFW/Qw7ob0gH6F/rVDuXdu/F

Score

9^/10

vmprotect

Detects executables packed with VMProtect. 3 IoCs

resource	yara_rule
behavioral2/memory/4592-0-0x0000000000400000-0x00000000008CE000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/files/0x000a000000023b7d-5.dat	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/3276-6-0x0000000000400000-0x00000000008CE000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 1 IoCs

pid	Process
3276	wpr.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4592-0-0x0000000000400000-0x00000000008CE000-memory.dmp	vmprotect
behavioral2/files/0x000a000000023b7d-5.dat	vmprotect
behavioral2/memory/3276-6-0x0000000000400000-0x00000000008CE000-memory.dmp	vmprotect

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bvqdcknxmf\wpr.exe	d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3276	4592	d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe	83
PID 4592 wrote to memory of 3276	4592	d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe	83
PID 4592 wrote to memory of 3276	4592	d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe	83

C:\Users\Admin\AppData\Local\Temp\d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe
"C:\Users\Admin\AppData\Local\Temp\d5431c831b6303879c5afcd77ef272bf8b39bf6c55b803e16738300403971f77.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files (x86)\bvqdcknxmf\wpr.exe
  "C:\Program Files (x86)\bvqdcknxmf\wpr.exe"
  2⤵
  - Executes dropped EXE
  PID:3276

C:\Program Files (x86)\bvqdcknxmf\wpr.exe

Filesize
5.2MB

MD5
aac7166ad4b544acd6252c2f627f1ef6

SHA1
db0ba5bd7f12feb9b6f6ff067e6d59e53a84a8f0

SHA256
71d5d6877cecf3e64149c42ff11508cfd46161bc1336f253bcc4818901e0f73a

SHA512
2e717bf56efa8dc737168bc67d8bf86689310236038a709bb50fe2fc8562f5de882fbfe225ccb0cd8f7519be8b7539da97f51ab2c6eb6fdc09bbc59b93604d1a

Download Submit
memory/3276-6-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/4592-0-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download