42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Size

6.1MB
MD5

a3314c6acf0ac7cd9e0117dc9e9ba01a
SHA1

695da82e6cd5c569cbd9a020ffee4a85175d3c2d
SHA256

42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46
SHA512

e7c5db318f660be8556ede74211a71f146af27578d46a714c95bb1258ec675248924dcca99e14bd7f687e380cc390bee95c6bb0669721bf854195c324060f852
SSDEEP

98304:Nw99p6pzBrWtG6E61pLVvnTQZ9ZfQfhGe6HJsH/ocMxzmUdC5hopYIGElv00e:Nw9zctWtwULVvnE90hMsAc6zI5MJFv0

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1932-37-0x0000000000400000-0x0000000001082000-memory.dmp	vmprotect
behavioral1/memory/1932-39-0x0000000000400000-0x0000000001082000-memory.dmp	vmprotect
behavioral1/memory/1932-46-0x0000000000400000-0x0000000001082000-memory.dmp	vmprotect
behavioral1/memory/1932-47-0x0000000000400000-0x0000000001082000-memory.dmp	vmprotect
behavioral1/memory/1932-51-0x0000000000400000-0x0000000001082000-memory.dmp	vmprotect

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2472 1932 WerFault.exe 42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

pid process

1932 42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
1932 42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

pid	pid_target	process	target process
2472	1932	WerFault.exe	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

pid	process
1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

description	pid	process
Token: SeDebugPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 1	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeCreateTokenPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeAssignPrimaryTokenPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeLockMemoryPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeIncreaseQuotaPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeMachineAccountPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeTcbPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeSecurityPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeTakeOwnershipPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeLoadDriverPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeSystemProfilePrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeSystemtimePrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeProfSingleProcessPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeIncBasePriorityPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeCreatePagefilePrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeCreatePermanentPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeBackupPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeRestorePrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeShutdownPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeDebugPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeAuditPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeSystemEnvironmentPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeChangeNotifyPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeRemoteShutdownPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeUndockPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeSyncAgentPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeEnableDelegationPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeManageVolumePrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeImpersonatePrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: SeCreateGlobalPrivilege	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 31	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 32	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 33	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 34	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 35	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 36	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 37	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 38	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 39	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 40	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 41	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 42	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 43	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 44	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 45	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 46	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 47	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
Token: 48	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

pid process

1932 42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
1932 42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

pid	process
1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe

description	pid	process	target process
PID 1932 wrote to memory of 2472	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe	WerFault.exe
PID 1932 wrote to memory of 2472	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe	WerFault.exe
PID 1932 wrote to memory of 2472	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe	WerFault.exe
PID 1932 wrote to memory of 2472	1932	42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe
"C:\Users\Admin\AppData\Local\Temp\42efa7b100db85b31b900dbf8b89f35a894bf3805a095bc4e9f957982e7caf46.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 928
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2776

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1932-37-0x0000000000400000-0x0000000001082000-memory.dmp

Filesize
12.5MB

Download
memory/1932-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1932-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1932-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1932-30-0x0000000000735000-0x0000000000A6F000-memory.dmp

Filesize
3.2MB

Download
memory/1932-27-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1932-24-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1932-22-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1932-19-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1932-17-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1932-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1932-12-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1932-9-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1932-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1932-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1932-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1932-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1932-39-0x0000000000400000-0x0000000001082000-memory.dmp

Filesize
12.5MB

Download
memory/1932-46-0x0000000000400000-0x0000000001082000-memory.dmp

Filesize
12.5MB

Download
memory/1932-47-0x0000000000400000-0x0000000001082000-memory.dmp

Filesize
12.5MB

Download
memory/1932-51-0x0000000000400000-0x0000000001082000-memory.dmp

Filesize
12.5MB

Download
memory/1932-52-0x0000000000735000-0x0000000000A6F000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads