b889df6190f6d05370d6496d046abc978b5d908906a3e6d3ba7fbd6b8f7f2d48

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:35

Target

b889df6190f6d05370d6496d046abc978b5d908906a3e6d3ba7fbd6b8f7f2d48.dll
Size

254KB
MD5

4a811f1ca0f56a5d4f1f9d5778bb9280
SHA1

6f7aa64d55c351e3ee4f147c66ade61bf8fb46d9
SHA256

b889df6190f6d05370d6496d046abc978b5d908906a3e6d3ba7fbd6b8f7f2d48
SHA512

f3c90b2bfa7ee16cc434a7a3d25b9cf4164eadb90dc0e6ce59fc80271136aef7a1e2410f829e4a88e7fa66f15c9e9288ccff8b1b82b7c134ddaec33e5dad736e
SSDEEP

6144:B+Yf+XFDk8zQOvzCZlYGtlJ4rC31FbJ9ClvmRQFkz+57J/U3C4lpWum5z:Ut/xvzCZl9t4rClRJ9Clvy+57myowumF

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/2056-133-0x0000000000B80000-0x0000000000C06000-memory.dmp	vmprotect
behavioral2/memory/2056-134-0x0000000000B80000-0x0000000000C06000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3680 wrote to memory of 2056	3680	rundll32.exe	rundll32.exe
PID 3680 wrote to memory of 2056	3680	rundll32.exe	rundll32.exe
PID 3680 wrote to memory of 2056	3680	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b889df6190f6d05370d6496d046abc978b5d908906a3e6d3ba7fbd6b8f7f2d48.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b889df6190f6d05370d6496d046abc978b5d908906a3e6d3ba7fbd6b8f7f2d48.dll,#1
2⤵
PID:2056

memory/2056-132-0x0000000000000000-mapping.dmp

Download
memory/2056-133-0x0000000000B80000-0x0000000000C06000-memory.dmp

Filesize
536KB

Download
memory/2056-134-0x0000000000B80000-0x0000000000C06000-memory.dmp

Filesize
536KB

Download