1a3050028af1dea85c09585eda56e2f76c8f0e77e369c2f8ab567e289147c060

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 18:36

Target

DNBInternal.dll
Size

2.8MB
MD5

b83ee93d6548da1441d154f7ff33026b
SHA1

de3cc41655e549c37798d9ec8151c4b536db7779
SHA256

fc8afb07c03548cbc257576aad4e637506b669f068642943ddaa4c9a806a8c89
SHA512

13b161f15c57f32da5506d2406fcdeb4a84e4634dc3bf7b3d968c0979b4bcf5c07a5a14b091e9e1a35803846a1c9deda139a6fb2eff604716e813aaa695cf83c
SSDEEP

49152:KtRfbkWEVG3EOv/ViBlCat/Yi3XhOqLdpsdP0ZvMgRNG5i/Unw8eVA721IeRu3om:4RwrE33v/Lat/YiDxpI01RNL/X8eVP1o

Score

8^/10

vmprotect

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1472-56-0x0000000010000000-0x000000001060C000-memory.dmp	vmprotect
behavioral1/memory/1472-57-0x0000000010000000-0x000000001060C000-memory.dmp	vmprotect
behavioral1/memory/1472-59-0x0000000010000000-0x000000001060C000-memory.dmp	vmprotect
behavioral1/memory/1472-58-0x0000000010000000-0x000000001060C000-memory.dmp	vmprotect
behavioral1/memory/1472-61-0x0000000010000000-0x000000001060C000-memory.dmp	vmprotect

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

1472 rundll32.exe

pid	process
1472	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 1472	112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DNBInternal.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DNBInternal.dll,#1
2⤵
- Suspicious use of SetWindowsHookEx
PID:1472

memory/1472-54-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1472-56-0x0000000010000000-0x000000001060C000-memory.dmp

Filesize
6.0MB

Download
memory/1472-57-0x0000000010000000-0x000000001060C000-memory.dmp

Filesize
6.0MB

Download
memory/1472-59-0x0000000010000000-0x000000001060C000-memory.dmp

Filesize
6.0MB

Download
memory/1472-58-0x0000000010000000-0x000000001060C000-memory.dmp

Filesize
6.0MB

Download
memory/1472-61-0x0000000010000000-0x000000001060C000-memory.dmp

Filesize
6.0MB

Download