60dc3e25f1cfac87bc4827d8379606a450e358767efcc79b0bf460c006dc57a7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:14

Target

protected_sacrifice.exe
Size

8.5MB
MD5

5e04815f52a1ab2dc4b18f293e542ddd
SHA1

a8c9c6e0644523668ade7427477811b843b19187
SHA256

60dc3e25f1cfac87bc4827d8379606a450e358767efcc79b0bf460c006dc57a7
SHA512

d17c89610b369f06646cbdba1ee874810b038d81d0f66be540a97f4a3e92afb49a26af99cdfa34017db2002375af6ff1c37c149c342a213dcb892ba7542b10cc
SSDEEP

196608:u0duRAkHBahImnxr5y0u9HYbDbZxgZ6KvQ8QflFGS6C:u0s6khaLyKbDbZxgZrOflo

Score

7^/10

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/616-11-0x000000013F7E0000-0x000000014080A000-memory.dmp	vmprotect
behavioral1/memory/616-15-0x000000013F7E0000-0x000000014080A000-memory.dmp	vmprotect
behavioral1/memory/616-17-0x000000013F7E0000-0x000000014080A000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

protected_sacrifice.exe

pid process

616 protected_sacrifice.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2896 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

protected_sacrifice.exe

pid process

616 protected_sacrifice.exe

pid	process
616	protected_sacrifice.exe

pid	process
2896	timeout.exe

pid	process
616	protected_sacrifice.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

protected_sacrifice.execmd.execmd.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 2588	616	protected_sacrifice.exe	cmd.exe
PID 616 wrote to memory of 2588	616	protected_sacrifice.exe	cmd.exe
PID 616 wrote to memory of 2588	616	protected_sacrifice.exe	cmd.exe
PID 2588 wrote to memory of 2640	2588	cmd.exe	certutil.exe
PID 2588 wrote to memory of 2640	2588	cmd.exe	certutil.exe
PID 2588 wrote to memory of 2640	2588	cmd.exe	certutil.exe
PID 2588 wrote to memory of 3052	2588	cmd.exe	find.exe
PID 2588 wrote to memory of 3052	2588	cmd.exe	find.exe
PID 2588 wrote to memory of 3052	2588	cmd.exe	find.exe
PID 2588 wrote to memory of 1384	2588	cmd.exe	find.exe
PID 2588 wrote to memory of 1384	2588	cmd.exe	find.exe
PID 2588 wrote to memory of 1384	2588	cmd.exe	find.exe
PID 616 wrote to memory of 2648	616	protected_sacrifice.exe	cmd.exe
PID 616 wrote to memory of 2648	616	protected_sacrifice.exe	cmd.exe
PID 616 wrote to memory of 2648	616	protected_sacrifice.exe	cmd.exe
PID 2648 wrote to memory of 2624	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2624	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2624	2648	cmd.exe	cmd.exe
PID 2624 wrote to memory of 2896	2624	cmd.exe	timeout.exe
PID 2624 wrote to memory of 2896	2624	cmd.exe	timeout.exe
PID 2624 wrote to memory of 2896	2624	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\protected_sacrifice.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\protected_sacrifice.exe" MD5
3⤵
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\cmd.exe
cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:2896

memory/616-0-0x000000013F9C3000-0x000000013FF90000-memory.dmp

Filesize
5.8MB

Download
memory/616-1-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

Filesize
8KB

Download
memory/616-5-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

Filesize
8KB

Download
memory/616-3-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

Filesize
8KB

Download
memory/616-6-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/616-10-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/616-11-0x000000013F7E0000-0x000000014080A000-memory.dmp

Filesize
16.2MB

Download
memory/616-8-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/616-15-0x000000013F7E0000-0x000000014080A000-memory.dmp

Filesize
16.2MB

Download
memory/616-16-0x000000013F9C3000-0x000000013FF90000-memory.dmp

Filesize
5.8MB

Download
memory/616-17-0x000000013F7E0000-0x000000014080A000-memory.dmp

Filesize
16.2MB

Download