37d4d9321823a05f90dfc1266c9162df214748e8b243cda967dfe307901dce2d | Triage

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 22:01

Sharing

Report Analysis Logs

General

Target

12.dll
Size

10.0MB
MD5

6048e9361c3789c78ef93a9291beacc5
SHA1

cf8a05ba0aef127e811414b7ae1059b1755512de
SHA256

fbb8125816b672c13c34305ba11aa5fc175fa032a6d53604c52d1dd4d7751446
SHA512

4e5112c24635ef0fd37cec17d4a46fb376aa083b6eec3777b22899d289fe6966704b6595535fa64258c4afec1f92c7dada89fc8696a66539919f236ee0b9cc2f

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1348-56-0x0000000001F20000-0x0000000004497000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28
PID 1256 wrote to memory of 1348	1256	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\12.dll,#1
  2⤵
  PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-55-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000001F20000-0x0000000004497000-memory.dmp

Filesize
37.5MB

Download