a082cce281d5775d0b4f450c219b87d5dd686f487c83709d83e900863be3c2f4

Analysis

max time kernel
4s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 07:13

Target

a082cce281d5775d0b4f450c219b87d5dd686f487c83709d83e900863be3c2f4.dll
Size

540KB
MD5

df55d0ab47a463b47e577e508979df4f
SHA1

0311f037f25a4c88b48b13ae1de6dd8bcbf1ef28
SHA256

a082cce281d5775d0b4f450c219b87d5dd686f487c83709d83e900863be3c2f4
SHA512

fab431e819cb0e072006a592fc3be9ea53ce629da68251b089e21c7146da7c8e9c5aa94c5a729f023069fc6367db1a7fa07a6c35480c235d65be1aa0cfb14ec8
SSDEEP

12288:R2MN8hmuy7edfBcqV3J/yPyIQqsRmqWqz:x8mLKBc6yyzqgmLqz

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/308-56-0x0000000010000000-0x0000000010216000-memory.dmp	vmprotect
behavioral1/memory/308-61-0x0000000010000000-0x0000000010216000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
336	308	WerFault.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
308	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 908 wrote to memory of 308	908	rundll32.exe	28
PID 308 wrote to memory of 336	308	rundll32.exe	29
PID 308 wrote to memory of 336	308	rundll32.exe	29
PID 308 wrote to memory of 336	308	rundll32.exe	29
PID 308 wrote to memory of 336	308	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a082cce281d5775d0b4f450c219b87d5dd686f487c83709d83e900863be3c2f4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a082cce281d5775d0b4f450c219b87d5dd686f487c83709d83e900863be3c2f4.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 272
    3⤵
    - Program crash
    PID:336

memory/308-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/308-56-0x0000000010000000-0x0000000010216000-memory.dmp

Filesize
2.1MB

Download
memory/308-61-0x0000000010000000-0x0000000010216000-memory.dmp

Filesize
2.1MB

Download