6ef735a9fd1c1c9853c833f56e939b67d1124b96aeed2247031b107c2e0be431

Analysis

max time kernel
90s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 22:32

Target

6ef735a9fd1c1c9853c833f56e939b67d1124b96aeed2247031b107c2e0be431.dll
Size

454KB
MD5

5ad3c9a110805a3bca36a19d490588d0
SHA1

ad14f8d70103364b552e5a27cc1b9273009540ea
SHA256

6ef735a9fd1c1c9853c833f56e939b67d1124b96aeed2247031b107c2e0be431
SHA512

dcd514033c9159ce52ff5b9c6014ea94801177650fb1054f724ba9ad72eb053ff55a986bf9f74df03065938613559eee721aad8c3a082a9fabef0cd90735e48d
SSDEEP

12288:oxmebWhic2+e7OqFzrzwRP/BWQ+6iVeKAd8L:ooe2ic2+KO5JBbiVeKAy

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/1312-134-0x0000000000400000-0x0000000000501000-memory.dmp	vmprotect
behavioral2/memory/1312-135-0x0000000000400000-0x0000000000501000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4252 wrote to memory of 1312	4252	rundll32.exe	rundll32.exe
PID 4252 wrote to memory of 1312	4252	rundll32.exe	rundll32.exe
PID 4252 wrote to memory of 1312	4252	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ef735a9fd1c1c9853c833f56e939b67d1124b96aeed2247031b107c2e0be431.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ef735a9fd1c1c9853c833f56e939b67d1124b96aeed2247031b107c2e0be431.dll,#1
2⤵
PID:1312

memory/1312-133-0x0000000000000000-mapping.dmp

Download
memory/1312-134-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1312-135-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download