021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 18:08

Target

021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe
Size

5.5MB
MD5

0d61a077c3c7b3eccff501decb5edab8
SHA1

0648e041a64c59e634ea9a2f8f2e71c2db1b772c
SHA256

021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08
SHA512

21593518500122617a2d1c67d4263c371acdaf7a6944733765d035a58a3177aa08b9b32fa1b78da3870a4240de7dc9588f0cf2679f97c62d359c2565c8ad34d9
SSDEEP

98304:Q4UuJam8M/k/0n+415zScTqve6DOAsqnYG7dk74mvq2mkY6NiRaP7hEMC:v/Imz/Znj86udk7nY8zP7dC

Score

9^/10

vmprotect

Detects executables packed with VMProtect. 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001444f-1.dat	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 1 IoCs

pid	Process
2816	tdbocdkwy.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x000c00000001444f-1.dat	vmprotect

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\cvyicf\tdbocdkwy.exe	021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2816	2972	021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe	28
PID 2972 wrote to memory of 2816	2972	021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe	28
PID 2972 wrote to memory of 2816	2972	021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe	28
PID 2972 wrote to memory of 2816	2972	021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe	28

C:\Users\Admin\AppData\Local\Temp\021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe
"C:\Users\Admin\AppData\Local\Temp\021338b2cb9c88a0ba6ac1f2fa77d69875b399290da81e9e36e035cbce5c1f08.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files (x86)\cvyicf\tdbocdkwy.exe
  "C:\Program Files (x86)\cvyicf\tdbocdkwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2816

\Program Files (x86)\cvyicf\tdbocdkwy.exe

Filesize
5.5MB

MD5
f435252a57c2e8d9bb16c6201b2e166d

SHA1
0440ea7a583eb0ef5760689eb45e439b39d2cb00

SHA256
6ddf668a995dae5727faeb5cf1a29ec0b53a992b5b325901ddeabad444ab73c0

SHA512
6611621046fed924bc09d9da64b0306a55b6231a05ce54afc1ff72f4f9a99827cd8ef2b9d51fb7930e42a8a53456cdb00a0ecbfad4deccfa20ccc48138eb2f30

Download Submit