8851cd482bb5e156e63874c92fa9f2f50bed249f3ee750562507377876b018b6

Analysis

max time kernel
157s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 06:10

Target

8851cd482bb5e156e63874c92fa9f2f50bed249f3ee750562507377876b018b6.dll
Size

160KB
MD5

0e08662cbe3e70fefae65d5cef6c9d93
SHA1

2259cee43265541b780ba83ee7b2f11e768812ac
SHA256

8851cd482bb5e156e63874c92fa9f2f50bed249f3ee750562507377876b018b6
SHA512

367099b0053c3e85509c947a31be8b71fead2b21e1a915d0077d910c289a1a6c9e92497a3d3aa0ead25615a41f87c4b5d872b03a2a70b823cbb1aaeb13928e45
SSDEEP

3072:0UprN62duo7eb18up2buwDAuQieWXuXIZsOPhd5nGTHta:3yR8S2P9tecdsOPhgH

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4428-133-0x0000000010000000-0x0000000010068000-memory.dmp	vmprotect
behavioral2/memory/4428-136-0x0000000010000000-0x0000000010068000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4428	3860	rundll32.exe	83
PID 3860 wrote to memory of 4428	3860	rundll32.exe	83
PID 3860 wrote to memory of 4428	3860	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8851cd482bb5e156e63874c92fa9f2f50bed249f3ee750562507377876b018b6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8851cd482bb5e156e63874c92fa9f2f50bed249f3ee750562507377876b018b6.dll,#1
  2⤵
  PID:4428

memory/4428-133-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/4428-136-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download