d494e9b4970d2d6792a117d6cc908d8424fe1e69c21a8075465ba431faa9c651

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 10:53

Target

Wall Hack.dll
Size

197KB
MD5

bee0a0d87f00d2b4e8125aafa5c35b05
SHA1

37527f723c138d4500e30e4a5c34ddecf50c5c34
SHA256

0a5e783e5bb7b812351eb372e324f2f33b5a6f943da0fee718af816e37ce8150
SHA512

b93b40476b79783e95aac3eb2d18b0e8ca6087547235b76056030d5affb707739f3a712ace26ca6a63e96a8ee4383ad2ee70b4ec3fb04d1c8b4298efbac8a69a
SSDEEP

3072:0gSzAsSZES2L8EH89KZGaUalyAJqO9rIm1EVPk6VXF2N1FFQirgPOlS5ss:0g7TES2XcAZQk6O9rIm1d6VFWs/5s

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/1888-56-0x0000000074E60000-0x0000000074EE7000-memory.dmp	vmprotect
behavioral1/memory/1888-62-0x0000000074E60000-0x0000000074EE7000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1888 rundll32.exe

pid	process
1888	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1888	956	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Wall Hack.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Wall Hack.dll",#1
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1888

memory/1888-54-0x0000000000000000-mapping.dmp

Download
memory/1888-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1888-56-0x0000000074E60000-0x0000000074EE7000-memory.dmp

Filesize
540KB

Download
memory/1888-59-0x0000000074BE0000-0x0000000074DA3000-memory.dmp

Filesize
1.8MB

Download
memory/1888-60-0x0000000074BE0000-0x0000000074DA3000-memory.dmp

Filesize
1.8MB

Download
memory/1888-61-0x0000000074EF0000-0x0000000074F77000-memory.dmp

Filesize
540KB

Download
memory/1888-62-0x0000000074E60000-0x0000000074EE7000-memory.dmp

Filesize
540KB

Download
memory/1888-63-0x0000000074EF0000-0x0000000074F77000-memory.dmp

Filesize
540KB

Download