6e5f8e88e79ba41e31c47a8206a6faa432b10ae1ed829d4d47e4217b19e40652

Analysis

max time kernel
20s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 02:11

Target

6e5f8e88e79ba41e31c47a8206a6faa432b10ae1ed829d4d47e4217b19e40652.dll
Size

788KB
MD5

d86ec7251d371878ba6ff9c4dcd97bf0
SHA1

66f0edc0e2a0e6d5c8fbd2e42b5e294df1f0ff15
SHA256

6e5f8e88e79ba41e31c47a8206a6faa432b10ae1ed829d4d47e4217b19e40652
SHA512

45205e0a04f10de04370e9c8f392ce7d9db15cb7bec5837de8705065a841db91d0daff3ab93eb8d55caa6e26fe493f622e6f3c661e951d9a4ff7d3524e689478
SSDEEP

24576:8ChFkESgPcPK/99vO9JhOFEqAj8Jh+9pObjEp:8CjkGZ/99vYhOFEpiY9pObja

Score

8^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/684-56-0x0000000010000000-0x00000000101DD000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
684	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
684	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 684	1668	rundll32.exe	28
PID 1668 wrote to memory of 684	1668	rundll32.exe	28
PID 1668 wrote to memory of 684	1668	rundll32.exe	28
PID 1668 wrote to memory of 684	1668	rundll32.exe	28
PID 1668 wrote to memory of 684	1668	rundll32.exe	28
PID 1668 wrote to memory of 684	1668	rundll32.exe	28
PID 1668 wrote to memory of 684	1668	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e5f8e88e79ba41e31c47a8206a6faa432b10ae1ed829d4d47e4217b19e40652.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e5f8e88e79ba41e31c47a8206a6faa432b10ae1ed829d4d47e4217b19e40652.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:684

memory/684-54-0x0000000000000000-mapping.dmp

Download
memory/684-55-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/684-56-0x0000000010000000-0x00000000101DD000-memory.dmp

Filesize
1.9MB

Download