3b95c4e6569b6c804e078c168980e9c6b4c5b3c82f6e4002ca669e9f6a47d050

Analysis

max time kernel
12s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:05

Target

3b95c4e6569b6c804e078c168980e9c6b4c5b3c82f6e4002ca669e9f6a47d050.dll
Size

1.5MB
MD5

31902771821af1e24e99f31856bf5b5f
SHA1

f41cf5bff6683f12bb07ed28619e4a1f10495ca2
SHA256

3b95c4e6569b6c804e078c168980e9c6b4c5b3c82f6e4002ca669e9f6a47d050
SHA512

56e0f6cf1e0fa181b741dc5b2f7d89469c061d3640c9d606c2d7fda5a52004b5258a16d0faa105731e969c9e000ed02194b85c83aab7ea4d93d881e435f83099
SSDEEP

24576:LWF63MX3Crq1GD+DO5Qk8FWplWwXYGsCE3Q087xzZUbvbjivLykh4PviClV+/qe2:CFsp+1GDF/84lWwXqYNzwvXk9hBoV+/0

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1724-56-0x0000000010000000-0x00000000102FC000-memory.dmp	vmprotect
behavioral1/memory/1724-59-0x0000000010000000-0x00000000102FC000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1724 rundll32.exe

pid	process
1724	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 1724	1788	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b95c4e6569b6c804e078c168980e9c6b4c5b3c82f6e4002ca669e9f6a47d050.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b95c4e6569b6c804e078c168980e9c6b4c5b3c82f6e4002ca669e9f6a47d050.dll,#1
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1724

memory/1724-54-0x0000000000000000-mapping.dmp

Download
memory/1724-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1724-56-0x0000000010000000-0x00000000102FC000-memory.dmp

Filesize
3.0MB

Download
memory/1724-59-0x0000000010000000-0x00000000102FC000-memory.dmp

Filesize
3.0MB

Download