29f02ed4cd03502ecca7f79ca9f54c40d00ece31427b98f6d0ad6a4e7c7cc2fe

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 09:25

Target

29f02ed4cd03502ecca7f79ca9f54c40d00ece31427b98f6d0ad6a4e7c7cc2fe.dll
Size

800KB
MD5

0688292373e4f2a68d0e2b3f17e85870
SHA1

b06fdeb3cfe3a1a4e9f75bae2966e2c9c3ed30ac
SHA256

29f02ed4cd03502ecca7f79ca9f54c40d00ece31427b98f6d0ad6a4e7c7cc2fe
SHA512

2f839633315aa78ec4e4fb591281fe298e85decc46b4e122525a9e44049b2b811193b727fed3cbe6d5b2776acd329770c68d8d0fa673d4192216f83ab08d25b8
SSDEEP

12288:g83TuYSMxfqBJ2+q/EVCF2aJm4gSQkgdTFEXfn529fwqbf1BuXj8lMQHjnZXuf/g:nDuIARr4ghk4cxYfwqbmXIlFHlXP

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/2496-133-0x0000000000400000-0x000000000058C000-memory.dmp	vmprotect
behavioral2/memory/2496-134-0x0000000000400000-0x000000000058C000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2496	3444	rundll32.exe	79
PID 3444 wrote to memory of 2496	3444	rundll32.exe	79
PID 3444 wrote to memory of 2496	3444	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29f02ed4cd03502ecca7f79ca9f54c40d00ece31427b98f6d0ad6a4e7c7cc2fe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\29f02ed4cd03502ecca7f79ca9f54c40d00ece31427b98f6d0ad6a4e7c7cc2fe.dll,#1
  2⤵
  PID:2496

memory/2496-133-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2496-134-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download