0123418ffeceaec339159113651a7f2bb502b64b25a34d812b27ff88e1e53db3 | Triage

Analysis

max time kernel
188s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 07:18

Sharing

Report Analysis Logs

General

Target

明月11.79/box.dll
Size

2.7MB
MD5

d40c606ef8cd891352a863b612ef317c
SHA1

815fa415695b203970012a719ced8c7bcd9b2824
SHA256

93b0796a736ea8d4bc9723eb55ce64e49605c55332494498a4cb24828f74e631
SHA512

1e678e1e5ac2e802c1122c7a46dc3d8295d224cae737f56ab8bd956815f3bcb0e0a0f2f9fe757c3444da91911fb5f603ae5ddb8b741494bd8cd0315f0ddd1ab1
SSDEEP

49152:I3+/qXwkZaKnieQvldCcAytk9CJis3/r/pU4u4oMsFB3aZ6OvmiixHXnSu:I3FLIKidjAl9ab1u5M+wvu1

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral14/memory/4664-133-0x0000000075050000-0x00000000755CE000-memory.dmp	vmprotect
behavioral14/memory/4664-134-0x0000000075050000-0x00000000755CE000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 4664	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 4664	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 4664	1056	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\明月11.79\box.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\明月11.79\box.dll,#1
  2⤵
  PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4664-132-0x0000000000000000-mapping.dmp

Download
memory/4664-133-0x0000000075050000-0x00000000755CE000-memory.dmp

Filesize
5.5MB

Download
memory/4664-134-0x0000000075050000-0x00000000755CE000-memory.dmp

Filesize
5.5MB

Download