79cdf5c7a5131d8ac7dddfd867a1c454b6d6277463a510a6440666cdeb25f386

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 07:21

Target

79cdf5c7a5131d8ac7dddfd867a1c454b6d6277463a510a6440666cdeb25f386.dll
Size

5.3MB
MD5

f3ff45d2e8bff67d85031472bc49aa43
SHA1

e08c06665e677a8ac90aa2f652559ec1343d5c78
SHA256

79cdf5c7a5131d8ac7dddfd867a1c454b6d6277463a510a6440666cdeb25f386
SHA512

070ce53d6c61e01e5f4e1f5e6acd4a8ea4a09c81be0ea86665b6416c590eea787feb3fb837188c9faee042ff00cf322d789255b34286fe595dc9ec06f03f10c2
SSDEEP

98304:kwalFfCaIRiYkx/yaR29rF9yV8Ynzueh3PSZ6DN225nLgmr/P72ud/+K:lqfrIRi/x/PRegzFSZcRQx

Score

8^/10

vmprotect

Blocklisted process makes network request 64 IoCs

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2184-0-0x00000000738F0000-0x0000000074173000-memory.dmp	vmprotect
behavioral1/memory/2184-13-0x00000000738F0000-0x0000000074173000-memory.dmp	vmprotect
behavioral1/memory/2184-3-0x00000000738F0000-0x0000000074173000-memory.dmp	vmprotect
behavioral1/memory/2184-14-0x00000000738F0000-0x0000000074173000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2184	rundll32.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	251	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18
PID 2116 wrote to memory of 2184	2116	rundll32.exe	18

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\79cdf5c7a5131d8ac7dddfd867a1c454b6d6277463a510a6440666cdeb25f386.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\79cdf5c7a5131d8ac7dddfd867a1c454b6d6277463a510a6440666cdeb25f386.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

memory/2184-0-0x00000000738F0000-0x0000000074173000-memory.dmp

Filesize
8.5MB

Download
memory/2184-1-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2184-4-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2184-13-0x00000000738F0000-0x0000000074173000-memory.dmp

Filesize
8.5MB

Download
memory/2184-12-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2184-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2184-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2184-7-0x0000000077CE0000-0x0000000077CE1000-memory.dmp

Filesize
4KB

Download
memory/2184-3-0x00000000738F0000-0x0000000074173000-memory.dmp

Filesize
8.5MB

Download
memory/2184-14-0x00000000738F0000-0x0000000074173000-memory.dmp

Filesize
8.5MB

Download