3078b7bb3260fd7caa95d8f2cb64891f803bbd487105ef48742fc2e6f63b6bd1

Analysis

max time kernel
159s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 18:22

Target

3078b7bb3260fd7caa95d8f2cb64891f803bbd487105ef48742fc2e6f63b6bd1.dll
Size

1.3MB
MD5

84186baeda5a7160f6678ebc6bef147d
SHA1

5be06271eedd785357251b5cde5c282896f7e1b8
SHA256

3078b7bb3260fd7caa95d8f2cb64891f803bbd487105ef48742fc2e6f63b6bd1
SHA512

119ab89dfa0994c59e42d5467daad37f4bb63e7144fb58ae1f19af20bd6c8d1ab283da148fe3d083955bed7dfb364bfbc3f700a36953bd874fb698c079bdd5f4
SSDEEP

24576:Q87Zc1bIZYbbX2qtLmU61Jfbz8axrEgK+QHV6sFi8/B0TsU2R2eHVzvdQ:X7Zc1bIMbptK1Jfbz88wwQHVRVB0TsUj

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3152-133-0x0000000010000000-0x00000000102F1000-memory.dmp	vmprotect
behavioral2/memory/3152-137-0x0000000010000000-0x00000000102F1000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3152	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1780	3152	WerFault.exe	81

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3152	1788	rundll32.exe	81
PID 1788 wrote to memory of 3152	1788	rundll32.exe	81
PID 1788 wrote to memory of 3152	1788	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3078b7bb3260fd7caa95d8f2cb64891f803bbd487105ef48742fc2e6f63b6bd1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3078b7bb3260fd7caa95d8f2cb64891f803bbd487105ef48742fc2e6f63b6bd1.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 596
    3⤵
    - Program crash
    PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152
1⤵
PID:5004

memory/3152-133-0x0000000010000000-0x00000000102F1000-memory.dmp

Filesize
2.9MB

Download
memory/3152-137-0x0000000010000000-0x00000000102F1000-memory.dmp

Filesize
2.9MB

Download