b07beca39864a312beea16bc0fcebf5d5bb0bb8c157066b9f9056efa9036d7ce

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 03:26

Target

b07beca39864a312beea16bc0fcebf5d5bb0bb8c157066b9f9056efa9036d7ce.dll
Size

600KB
MD5

b667dd84f27c098211cfcc4da072f801
SHA1

006440841f080f0e1362ee592262073fcc52bedb
SHA256

b07beca39864a312beea16bc0fcebf5d5bb0bb8c157066b9f9056efa9036d7ce
SHA512

e05d5b72f1e956875d8a582a996e4db05f14770115ea77fa582525f34bb0c9ddebef83fa37dfd5bdc5b0061419f699e1476811011e907642735d86087be1710b
SSDEEP

6144:zrOFqk9iqrLdD9/5bD38AMZCid5WlO3eeqOh/axlkSE09L9QzxE0QowO8kOXk6nc:YqLAdDjoAMEv+hWlBRe1w/JvZtQs2n

Score

7^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/952-133-0x0000000010000000-0x0000000010099000-memory.dmp	vmprotect
behavioral2/memory/952-135-0x0000000010000000-0x0000000010099000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 952	1224	rundll32.exe	84
PID 1224 wrote to memory of 952	1224	rundll32.exe	84
PID 1224 wrote to memory of 952	1224	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b07beca39864a312beea16bc0fcebf5d5bb0bb8c157066b9f9056efa9036d7ce.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b07beca39864a312beea16bc0fcebf5d5bb0bb8c157066b9f9056efa9036d7ce.dll,#1
  2⤵
  PID:952

memory/952-133-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/952-135-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download