f2b7ace6cffc8262db3105e08274c5aaf1ba47324cde7c0a30c19daade6b613e

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 10:41

Target

f2b7ace6cffc8262db3105e08274c5aaf1ba47324cde7c0a30c19daade6b613e.dll
Size

164KB
MD5

307a64b669938969b9935953b18511c0
SHA1

524f9d18ca424b8a370a25961d972e4346943dec
SHA256

f2b7ace6cffc8262db3105e08274c5aaf1ba47324cde7c0a30c19daade6b613e
SHA512

ef2e13fb97db71ed46b20abedc0da3c2556fc2fdc00a9b8db7aff6ff2fea01cac1c6e80892006baddbe2eb247d3d726109bd3317d040815466fa9638f2f0c07c
SSDEEP

3072:MkOjF8KopiySJhSfylJVDJB3AoqcKRqW7eU78cdm/4sP:MVnLhTlJd3AoSRLPO

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/628-56-0x0000000010000000-0x00000000100A6000-memory.dmp	vmprotect
behavioral1/memory/628-59-0x0000000010000000-0x00000000100A6000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1344	628	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 960 wrote to memory of 628	960	rundll32.exe	27
PID 628 wrote to memory of 1344	628	rundll32.exe	28
PID 628 wrote to memory of 1344	628	rundll32.exe	28
PID 628 wrote to memory of 1344	628	rundll32.exe	28
PID 628 wrote to memory of 1344	628	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b7ace6cffc8262db3105e08274c5aaf1ba47324cde7c0a30c19daade6b613e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b7ace6cffc8262db3105e08274c5aaf1ba47324cde7c0a30c19daade6b613e.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 228
    3⤵
    - Program crash
    PID:1344

memory/628-54-0x0000000000000000-mapping.dmp

Download
memory/628-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/628-56-0x0000000010000000-0x00000000100A6000-memory.dmp

Filesize
664KB

Download
memory/628-59-0x0000000010000000-0x00000000100A6000-memory.dmp

Filesize
664KB

Download
memory/1344-58-0x0000000000000000-mapping.dmp

Download