179d7de6b5589bd2c48e1c0f50f4dc330b8e71d904d8ee8813c2e27373a77ab6

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 23:59

Target

179d7de6b5589bd2c48e1c0f50f4dc330b8e71d904d8ee8813c2e27373a77ab6.dll
Size

254KB
MD5

04bfc0485df09675d55aa76c8233fc10
SHA1

7871c28e316e5e526ba68b75c34f6a956b529223
SHA256

179d7de6b5589bd2c48e1c0f50f4dc330b8e71d904d8ee8813c2e27373a77ab6
SHA512

b42f85c5ed4c59af627f2fcf413d6dd29bd5b52ee4c9ac5c27b7d2a4c521734be5aab2ef8d5dfddbf96b9ff1985309cf918b0195ab2bb91cbfda3b37382d2bd6
SSDEEP

6144:B+Yf+XFDk8zQOvzCZlYGtlJ4rC31FbJ9ClvmRQFkz+57J/U3C4lpWum5J:Ut/xvzCZl9t4rClRJ9Clvy+57myowumH

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4992-133-0x00000000010D0000-0x0000000001156000-memory.dmp	vmprotect
behavioral2/memory/4992-134-0x00000000010D0000-0x0000000001156000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4992	3040	rundll32.exe	82
PID 3040 wrote to memory of 4992	3040	rundll32.exe	82
PID 3040 wrote to memory of 4992	3040	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\179d7de6b5589bd2c48e1c0f50f4dc330b8e71d904d8ee8813c2e27373a77ab6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\179d7de6b5589bd2c48e1c0f50f4dc330b8e71d904d8ee8813c2e27373a77ab6.dll,#1
  2⤵
  PID:4992

memory/4992-133-0x00000000010D0000-0x0000000001156000-memory.dmp

Filesize
536KB

Download
memory/4992-134-0x00000000010D0000-0x0000000001156000-memory.dmp

Filesize
536KB

Download