5ea26b93db6d7aa825a62e03772e976ca62e74e7caa3c0d9e396e3648795a0e7

Analysis

max time kernel
128s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 08:46

Target

5ea26b93db6d7aa825a62e03772e976ca62e74e7caa3c0d9e396e3648795a0e7.dll
Size

794KB
MD5

170f209f93a113fc5d1004d4538bffe0
SHA1

3056ca36f341254f74f12220f2a84dde39b24dcf
SHA256

5ea26b93db6d7aa825a62e03772e976ca62e74e7caa3c0d9e396e3648795a0e7
SHA512

20bce1d8f79493fc7876081bfd073cebd9450de6bc88ab17692355969395a05ed69a46e6ca9d18f6576d21694b843ba66a3637f39bf3c065f6674a25ee42db3d
SSDEEP

12288:gUgqbRnr6xHC2gZIeAlD3VwwWnK1Ju1/kw3m58eMkzoFgNsR1gHezNmx1Q42t+6+:DbRO6VE3VFgY41/m8eMbx1WRupq

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/2548-133-0x0000000000400000-0x0000000000587000-memory.dmp	vmprotect
behavioral2/memory/2548-134-0x0000000000400000-0x0000000000587000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2548	2324	rundll32.exe	82
PID 2324 wrote to memory of 2548	2324	rundll32.exe	82
PID 2324 wrote to memory of 2548	2324	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ea26b93db6d7aa825a62e03772e976ca62e74e7caa3c0d9e396e3648795a0e7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ea26b93db6d7aa825a62e03772e976ca62e74e7caa3c0d9e396e3648795a0e7.dll,#1
  2⤵
  PID:2548

memory/2548-132-0x0000000000000000-mapping.dmp

Download
memory/2548-133-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2548-134-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download