28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279 | Triage

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2022 06:51

Sharing

Report Analysis Logs

General

Target

28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll
Size

5.7MB
MD5

0c1f5ed66819d2e2c6ef7abcced5ce6a
SHA1

26bc4206d03a4bbad833221c6ac56a9914d4c887
SHA256

28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279
SHA512

7447c813dc005ca4217ba99ea10a02f6b3cbee5d6376acf571be28bf0883595399c4ae0bc5372ffc4b1cb7ac266681078e7b48d8f73994edc3a61f0510b3affc

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/4432-131-0x0000000010000000-0x0000000010970000-memory.dmp	vmprotect
behavioral2/memory/4432-132-0x0000000010000000-0x0000000010970000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

4432 rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4432 rundll32.exe
4432 rundll32.exe
4432 rundll32.exe
4432 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 856 wrote to memory of 4432	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 4432	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 4432	856	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll,#1
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4432-130-0x0000000000000000-mapping.dmp

Download
memory/4432-131-0x0000000010000000-0x0000000010970000-memory.dmp

Filesize
9.4MB

Download
memory/4432-132-0x0000000010000000-0x0000000010970000-memory.dmp

Filesize
9.4MB

Download