b9398eacac9baf1af1c97775eba29412b8d9b75202cb3fd69aca72847d94f050

Analysis

max time kernel
159s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 23:30

Target

b9398eacac9baf1af1c97775eba29412b8d9b75202cb3fd69aca72847d94f050.dll
Size

679KB
MD5

087c7a9603f781f48641d2f8b2cb0fd0
SHA1

500adc0da253216b7db0fb5f075ad532a9384c4e
SHA256

b9398eacac9baf1af1c97775eba29412b8d9b75202cb3fd69aca72847d94f050
SHA512

204071f3280a869715beb69251e714bc870c17965f6fab8e8d6280bd46f28454781c83b06b9260eb74990ac9c5c89e3f9212961dd58f5df42c3296fd4b888539
SSDEEP

12288:FH+2bXay0KElDBERz9NOqHVVpCQ1RmOdbAhBPxz5KznK0WfkQOzCTkzjAV:B+2bX0NlDBERrOqHP8Q1okMBPfKzntJe

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4860-133-0x0000000002390000-0x00000000024E0000-memory.dmp	vmprotect
behavioral2/memory/4860-134-0x0000000002390000-0x00000000024E0000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4860	4628	rundll32.exe	80
PID 4628 wrote to memory of 4860	4628	rundll32.exe	80
PID 4628 wrote to memory of 4860	4628	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9398eacac9baf1af1c97775eba29412b8d9b75202cb3fd69aca72847d94f050.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9398eacac9baf1af1c97775eba29412b8d9b75202cb3fd69aca72847d94f050.dll,#1
  2⤵
  PID:4860

memory/4860-133-0x0000000002390000-0x00000000024E0000-memory.dmp

Filesize
1.3MB

Download
memory/4860-134-0x0000000002390000-0x00000000024E0000-memory.dmp

Filesize
1.3MB

Download