18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c

Analysis

max time kernel
179s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:36

Target

18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll
Size

142KB
MD5

a4aec66afeec77b507b87d5e9956c7fe
SHA1

8481cc4e2daa07f79039b15c565f9ed416e44d15
SHA256

18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c
SHA512

283b4bcffd33531957368ee94683ec95327f0d854a0c5b453b4381cf4a6e214b156ccdbfc6e326199d6dd74696ed6c69c68422dfd1700224d41391776252d826
SSDEEP

3072:Jb6dmDS43k8QFvSxMoj1xGL7oZGexwi/YCRGgDkZaTBw0i:d6dmO40jFvSxMQ6L8FxwiUR2BC

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/1568-133-0x0000000000A70000-0x0000000000AAB000-memory.dmp	vmprotect
behavioral2/memory/1568-134-0x0000000000A70000-0x0000000000AAB000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1568 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3408 1568 WerFault.exe rundll32.exe

pid	process
1568	rundll32.exe

pid	pid_target	process	target process
3408	1568	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1360 wrote to memory of 1568	1360	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 1568	1360	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 1568	1360	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll,#1
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 568
3⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 1568
1⤵
PID:3044

memory/1568-132-0x0000000000000000-mapping.dmp

Download
memory/1568-133-0x0000000000A70000-0x0000000000AAB000-memory.dmp

Filesize
236KB

Download
memory/1568-134-0x0000000000A70000-0x0000000000AAB000-memory.dmp

Filesize
236KB

Download