da3a25818b90a803e7e62aa54abc3800e57c36dec58bf8f80bc7435a243faf93

Analysis

max time kernel
3s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 08:19

Target

da3a25818b90a803e7e62aa54abc3800e57c36dec58bf8f80bc7435a243faf93.dll
Size

1008KB
MD5

416117f213a32d59d7ee05981fdae033
SHA1

b2c09abaec31e94370a2d9db87e754ae1b0d12d5
SHA256

da3a25818b90a803e7e62aa54abc3800e57c36dec58bf8f80bc7435a243faf93
SHA512

bac7442dc4224b4ec5e750b312db2826201b5570308615ec81efe6ba916ff943468eccb1c0129c3cef067510457502e2925f9f6d6cba78669883450895f3f529
SSDEEP

24576:PUMFI0wALgYKGQzCOUgS387q/3ntozSGfXbyhdHo0K0KjSb:P7IZGgYNoUgSIqGzSGPubHous

Score

8^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2016-56-0x0000000010000000-0x00000000102B4000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	rundll32.exe
2016	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2016	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28
PID 2028 wrote to memory of 2016	2028	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da3a25818b90a803e7e62aa54abc3800e57c36dec58bf8f80bc7435a243faf93.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\da3a25818b90a803e7e62aa54abc3800e57c36dec58bf8f80bc7435a243faf93.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2016

memory/2016-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/2016-56-0x0000000010000000-0x00000000102B4000-memory.dmp

Filesize
2.7MB

Download