2dca64d707c9cc9c8750725efe711ce56501ce681040e88371f3b0f98acee5de

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:35

Target

121210破简单vip/JDG_build.dll
Size

625KB
MD5

843c7aa1246d167b66b1cd9f096f0ed2
SHA1

744892e3d847c690fc44d06e5ee9b7e9a9d87f20
SHA256

d0d7029938aa06bafbd6ea296353cb3ac4bf61da2f9a1b218b4d1d98d8f6a412
SHA512

328833c87fa658e58903c55ef8745f140393953552c6c245e58d8724a2212cc0e22f2b67b06cf1b3a10faf3517ff71c3506314ef94048727048b52f8798defdc
SSDEEP

12288:Ox+3aBp9fj9PgB1WB3nxGr3v98Izlr+CNXlnd7DnzN+tmMK6LVBCSx9jNqO91:k5RjpR8lBRr+CTnzAtXK6LKW

Score

8^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/4728-133-0x0000000074C60000-0x0000000074DA1000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4828 wrote to memory of 4728	4828	rundll32.exe	rundll32.exe
PID 4828 wrote to memory of 4728	4828	rundll32.exe	rundll32.exe
PID 4828 wrote to memory of 4728	4828	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\121210破简单vip\JDG_build.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\121210破简单vip\JDG_build.dll,#1
2⤵
PID:4728

memory/4728-132-0x0000000000000000-mapping.dmp

Download
memory/4728-133-0x0000000074C60000-0x0000000074DA1000-memory.dmp

Filesize
1.3MB

Download