97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9

Analysis

max time kernel
146s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 12:08

Target

97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll
Size

107KB
MD5

177a852dc41723876b28dee508a99ee6
SHA1

45e87a13b9894bbfdd1a9d7e34153ce9fe8010a6
SHA256

97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9
SHA512

18ee953acad7c6b4e59c7dcddf9711c2688ee8f665610a03434fad15e2758b249f76c0bfc012b0ddf2e9f8b9c528dd98d353afcf4dcde6c4892254af1b21ce8b
SSDEEP

3072:3zKvSm7W7Ju3hrr/OFAS0M+d3ddgS1LkC/NNg:3zKamM8r/OFASl+d3YC/Hg

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/1260-133-0x0000000075690000-0x00000000756C2000-memory.dmp	vmprotect
behavioral2/memory/1260-134-0x0000000075690000-0x00000000756C2000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1260 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4940 1260 WerFault.exe rundll32.exe

pid	process
1260	rundll32.exe

pid	pid_target	process	target process
4940	1260	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3796 wrote to memory of 1260	3796	rundll32.exe	rundll32.exe
PID 3796 wrote to memory of 1260	3796	rundll32.exe	rundll32.exe
PID 3796 wrote to memory of 1260	3796	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 580
    3⤵
    - Program crash
    PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1260 -ip 1260
1⤵
PID:3540

memory/1260-132-0x0000000000000000-mapping.dmp

Download
memory/1260-133-0x0000000075690000-0x00000000756C2000-memory.dmp

Filesize
200KB

Download
memory/1260-134-0x0000000075690000-0x00000000756C2000-memory.dmp

Filesize
200KB

Download
memory/1260-135-0x0000000075690000-0x00000000756B9000-memory.dmp

Filesize
164KB

Download