ccb7410d0d5a3407dcfc0f824a9ad4784490bad1dd03c193b7e936cfc94fca02

Analysis

max time kernel
7s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:23

Target

ccb7410d0d5a3407dcfc0f824a9ad4784490bad1dd03c193b7e936cfc94fca02.dll
Size

985KB
MD5

4b4645a26db53a43de46fa49b76031a8
SHA1

c11389347a91010c8a95a1feefbe9de80a453089
SHA256

ccb7410d0d5a3407dcfc0f824a9ad4784490bad1dd03c193b7e936cfc94fca02
SHA512

8c190680f4aa3c759e870b44263f70a827aff0002d4c25db5335cba11fbc77c59ee2ce839eaa24e333910c57980b4fdf31bd39cc449b858b8941f94d5f8c7933
SSDEEP

24576:uOecjA+rD4gMXB5xIp9KdOxsQeoB/+6bL1F5arui:uNmf4gq6KQbP+6bhF5a

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1056-56-0x0000000010000000-0x0000000010354000-memory.dmp	vmprotect
behavioral1/memory/1056-57-0x0000000010000000-0x0000000010354000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1056 rundll32.exe

pid	process
1056	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1056	1952	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccb7410d0d5a3407dcfc0f824a9ad4784490bad1dd03c193b7e936cfc94fca02.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccb7410d0d5a3407dcfc0f824a9ad4784490bad1dd03c193b7e936cfc94fca02.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1056

memory/1056-54-0x0000000000000000-mapping.dmp

Download
memory/1056-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1056-56-0x0000000010000000-0x0000000010354000-memory.dmp

Filesize
3.3MB

Download
memory/1056-57-0x0000000010000000-0x0000000010354000-memory.dmp

Filesize
3.3MB

Download