97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:08

Target

97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll
Size

107KB
MD5

177a852dc41723876b28dee508a99ee6
SHA1

45e87a13b9894bbfdd1a9d7e34153ce9fe8010a6
SHA256

97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9
SHA512

18ee953acad7c6b4e59c7dcddf9711c2688ee8f665610a03434fad15e2758b249f76c0bfc012b0ddf2e9f8b9c528dd98d353afcf4dcde6c4892254af1b21ce8b
SSDEEP

3072:3zKvSm7W7Ju3hrr/OFAS0M+d3ddgS1LkC/NNg:3zKamM8r/OFASl+d3YC/Hg

Score

8^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1112-56-0x0000000074BE0000-0x0000000074C12000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1112 rundll32.exe

pid	process
1112	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 1112	536	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1112

memory/1112-54-0x0000000000000000-mapping.dmp

Download
memory/1112-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x0000000074BE0000-0x0000000074C12000-memory.dmp

Filesize
200KB

Download
memory/1112-57-0x0000000074C20000-0x0000000074C52000-memory.dmp

Filesize
200KB

Download
memory/1112-58-0x0000000074BE0000-0x0000000074C60000-memory.dmp

Filesize
512KB

Download