81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b

Analysis

max time kernel
277s
max time network
335s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:32

Target

81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll
Size

105KB
MD5

009786c930c56921c500d1d6ca1c47ef
SHA1

b3fedb32e8c6d44337bc2326409fe8db590a70b5
SHA256

81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b
SHA512

912fed66a7c21ec067a300204876fbb871efa17082fdf96e1de17852efab5458cacbe8e8da3eed6938ba9b162ec1f1c886a130df251cdd13f2c0f7d8a49b4b4a
SSDEEP

3072:GmwAu62lep2pdokh2uex6EcKXGTVz7Zm3rF:dbuTJdNo8EcKXGTVz7ZA

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/5100-133-0x0000000074B80000-0x0000000074BA3000-memory.dmp	vmprotect
behavioral2/memory/5100-134-0x0000000074B80000-0x0000000074BA3000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

5100 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1652 5100 WerFault.exe rundll32.exe

pid	process
5100	rundll32.exe

pid	pid_target	process	target process
1652	5100	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4928 wrote to memory of 5100	4928	rundll32.exe	rundll32.exe
PID 4928 wrote to memory of 5100	4928	rundll32.exe	rundll32.exe
PID 4928 wrote to memory of 5100	4928	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll,#1
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 552
3⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5100 -ip 5100
1⤵
PID:456

memory/5100-132-0x0000000000000000-mapping.dmp

Download
memory/5100-133-0x0000000074B80000-0x0000000074BA3000-memory.dmp

Filesize
140KB

Download
memory/5100-134-0x0000000074B80000-0x0000000074BA3000-memory.dmp

Filesize
140KB

Download