e1b1a4177b4d8b89de57470ea050f9eb39724c551443f1e4dbc1c381514f3b6c

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 02:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1b1a4177b4d8b89de57470ea050f9eb39724c551443f1e4dbc1c381514f3b6c.dll
Size

12.8MB
MD5

114a32ed74d7a72af86bbf3a3e7db214
SHA1

e532863d205f226ceb9d8d5b0c48d1cc5b9f8b9d
SHA256

e1b1a4177b4d8b89de57470ea050f9eb39724c551443f1e4dbc1c381514f3b6c
SHA512

5bbead7ded17cc69aa8173f1104abd7f9fc79d266f6f2468579b85fc4b41c6ab66e1c94e5fb877af5a6e61dd9df29b60814d8ae5566bd7d3cd5f8934ade7b13f
SSDEEP

196608:PojNPfB9z4u8vPhmlocaQrtGEaW2Q7mxVa6:PojNPnMJHE95GfW1Ua

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2448-0-0x0000000180000000-0x0000000180CDD000-memory.dmp	vmprotect
behavioral1/memory/2448-6-0x0000000180000000-0x0000000180CDD000-memory.dmp	vmprotect
behavioral1/memory/2448-33-0x0000000180000000-0x0000000180CDD000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	rundll32.exe
2448	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2632	2448	rundll32.exe	28
PID 2448 wrote to memory of 2632	2448	rundll32.exe	28
PID 2448 wrote to memory of 2632	2448	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1b1a4177b4d8b89de57470ea050f9eb39724c551443f1e4dbc1c381514f3b6c.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2448 -s 204
  2⤵
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-0-0x0000000180000000-0x0000000180CDD000-memory.dmp

Filesize
12.9MB

Download
memory/2448-1-0x0000000077D60000-0x0000000077D62000-memory.dmp

Filesize
8KB

Download
memory/2448-3-0x0000000077D60000-0x0000000077D62000-memory.dmp

Filesize
8KB

Download
memory/2448-6-0x0000000180000000-0x0000000180CDD000-memory.dmp

Filesize
12.9MB

Download
memory/2448-7-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2448-5-0x0000000077D60000-0x0000000077D62000-memory.dmp

Filesize
8KB

Download
memory/2448-9-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2448-11-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2448-12-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/2448-14-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/2448-16-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/2448-17-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/2448-19-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/2448-21-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/2448-24-0x000007FEFDEA0000-0x000007FEFDEA2000-memory.dmp

Filesize
8KB

Download
memory/2448-26-0x000007FEFDEA0000-0x000007FEFDEA2000-memory.dmp

Filesize
8KB

Download
memory/2448-31-0x000007FEFDEB0000-0x000007FEFDEB2000-memory.dmp

Filesize
8KB

Download
memory/2448-29-0x000007FEFDEB0000-0x000007FEFDEB2000-memory.dmp

Filesize
8KB

Download
memory/2448-33-0x0000000180000000-0x0000000180CDD000-memory.dmp

Filesize
12.9MB

Download