cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
Size

2.0MB
MD5

6521702ff3e2fb002ac242f0140722e2
SHA1

1c28322092cdf339317680dea963d8ef6d0b2256
SHA256

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838
SHA512

0647fddb48d6fd52148606044c1a7045c41c3fdd8e80c54db7c60b24b15833330666524583cc695fabc84c101d1a53f0c23fc9e1f5dac43e6c11748a3d1237e5
SSDEEP

49152:F4pqoqgMqnb/tOpzXpNwFCRCVDAeAaGI6yFuhzcr8w9:F4YgXb/IhE71JGXy05w

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Consold.exe

pid process

2612 Consold.exe
Loads dropped DLL 7 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exeConsold.exeWerFault.exe

pid process

2588 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
2612 Consold.exe
2532 WerFault.exe
2532 WerFault.exe
2532 WerFault.exe
2532 WerFault.exe
2532 WerFault.exe

pid	process
2612	Consold.exe

pid	process
2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
2612	Consold.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2588-0-0x0000000000400000-0x00000000008E2000-memory.dmp	vmprotect
behavioral1/memory/2588-9-0x0000000000400000-0x00000000008E2000-memory.dmp	vmprotect
\Users\Public\Videos\NVEN1_8\Consold.exe	vmprotect
behavioral1/memory/2588-17-0x0000000002240000-0x00000000022EF000-memory.dmp	vmprotect
behavioral1/memory/2612-21-0x0000000000350000-0x00000000003FF000-memory.dmp	vmprotect
C:\Users\Public\Videos\NVEN1_8\Foundation.dll	vmprotect
behavioral1/memory/2612-23-0x0000000074C00000-0x0000000074C5A000-memory.dmp	vmprotect
behavioral1/memory/2612-24-0x0000000074C00000-0x0000000074C5A000-memory.dmp	vmprotect
behavioral1/memory/2612-26-0x0000000000350000-0x00000000003FF000-memory.dmp	vmprotect
behavioral1/memory/2588-32-0x0000000000400000-0x00000000008E2000-memory.dmp	vmprotect
behavioral1/memory/2612-33-0x0000000000350000-0x00000000003FF000-memory.dmp	vmprotect
behavioral1/memory/2612-34-0x0000000074C00000-0x0000000074C5A000-memory.dmp	vmprotect

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2532 2612 WerFault.exe Consold.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid process

2588 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid process

2588 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
2588 cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid	pid_target	process	target process
2532	2612	WerFault.exe	Consold.exe

pid	process
2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

pid	process
2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exeConsold.exe

description	pid	process	target process
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2588 wrote to memory of 2612	2588	cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe	Consold.exe
PID 2612 wrote to memory of 2532	2612	Consold.exe	WerFault.exe
PID 2612 wrote to memory of 2532	2612	Consold.exe	WerFault.exe
PID 2612 wrote to memory of 2532	2612	Consold.exe	WerFault.exe
PID 2612 wrote to memory of 2532	2612	Consold.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe
"C:\Users\Admin\AppData\Local\Temp\cdcf999a90d9b8158eed85c26d5d379b85d72994d50d602ee545c7d8d8c97838.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Public\Videos\NVEN1_8\Consold.exe
C:\Users\Public\Videos\NVEN1_8\\Consold.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 228
3⤵
- Loads dropped DLL
- Program crash
PID:2532

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\NVEN1_8\Foundation.dll
Filesize
351KB

MD5
472cdc4b6d8944f8ab7d07fae2d6e2fb

SHA1
7b69ea87786cf743b6c9ae10af6b2d68079421ea

SHA256
f1c38fbf7617b95c5759194688d10b119a5558b5c5777cea96a4dfc09c7b8369

SHA512
b58e823b3d1ea0617ea85c73c6606aaa6ba3e1811c4abbe13580a10aef2c7a2d336dd4c11b4dad03aa5464b497782066e0524c13b55e804ea4d07a630df571f3

Download Submit
\Users\Public\Videos\NVEN1_8\Consold.exe
Filesize
704KB

MD5
2c6343eafc093ff4e5d4b05cc5c6d1d6

SHA1
6c43ab04823f597649099c2158a59858432f8d6a

SHA256
e6aaa366f8c21588b59d4532e155fbdda89616097b619b83db8050409c62157c

SHA512
1eaa404b4c95e942fa95ea7ac1b5344b7466bdbf9837ef2c592e06bad3976aec45fa17ad957d3b91331f147a9b4e674a65fd584f016bb7ed484c1cf67592081f

Download Submit
memory/2588-32-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2588-7-0x0000000076740000-0x0000000076741000-memory.dmp

Filesize
4KB

Download
memory/2588-3-0x0000000077A40000-0x0000000077A41000-memory.dmp

Filesize
4KB

Download
memory/2588-1-0x0000000077A40000-0x0000000077A41000-memory.dmp

Filesize
4KB

Download
memory/2588-9-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2588-14-0x0000000076740000-0x0000000076741000-memory.dmp

Filesize
4KB

Download
memory/2588-17-0x0000000002240000-0x00000000022EF000-memory.dmp

Filesize
700KB

Download
memory/2588-0-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2612-21-0x0000000000350000-0x00000000003FF000-memory.dmp

Filesize
700KB

Download
memory/2612-24-0x0000000074C00000-0x0000000074C5A000-memory.dmp

Filesize
360KB

Download
memory/2612-26-0x0000000000350000-0x00000000003FF000-memory.dmp

Filesize
700KB

Download
memory/2612-23-0x0000000074C00000-0x0000000074C5A000-memory.dmp

Filesize
360KB

Download
memory/2612-33-0x0000000000350000-0x00000000003FF000-memory.dmp

Filesize
700KB

Download
memory/2612-34-0x0000000074C00000-0x0000000074C5A000-memory.dmp

Filesize
360KB

Download