1cd913e0beafc5afa82a7821054d4df90b06516ee7a2c33b81278ba514fe92ed

Analysis

max time kernel
144s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 07:40

Target

1cd913e0beafc5afa82a7821054d4df90b06516ee7a2c33b81278ba514fe92ed.dll
Size

6.6MB
MD5

2140717f27fc63a93ed8af9ab43b9b16
SHA1

050ec47707d94d7f7f477fb37307950ce4f763c5
SHA256

1cd913e0beafc5afa82a7821054d4df90b06516ee7a2c33b81278ba514fe92ed
SHA512

f4a4a8dfb519d27aac1fdc80e138465b71600f2dffcb1e92093d9359c2b06bb6f90565fecaefe08b47685ebe794b1d8c46d74c8f8392284382f3194fda613516
SSDEEP

196608:B0kcy4+ARnEFj57uOE/nqKtI5TlBflP4Uj:B0kL4+AFohuOE/nqKiH4Uj

Score

7^/10

vmprotect

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3812-0-0x0000000010000000-0x0000000010BBA000-memory.dmp	vmprotect
behavioral2/memory/3812-10-0x0000000010000000-0x0000000010BBA000-memory.dmp	vmprotect
behavioral2/memory/3812-13-0x0000000010000000-0x0000000010BBA000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3812	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3812	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3812	4380	rundll32.exe	86
PID 4380 wrote to memory of 3812	4380	rundll32.exe	86
PID 4380 wrote to memory of 3812	4380	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1cd913e0beafc5afa82a7821054d4df90b06516ee7a2c33b81278ba514fe92ed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1cd913e0beafc5afa82a7821054d4df90b06516ee7a2c33b81278ba514fe92ed.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3812

memory/3812-0-0x0000000010000000-0x0000000010BBA000-memory.dmp

Filesize
11.7MB

Download
memory/3812-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3812-2-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3812-3-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3812-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3812-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3812-6-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3812-8-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3812-9-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3812-10-0x0000000010000000-0x0000000010BBA000-memory.dmp

Filesize
11.7MB

Download
memory/3812-13-0x0000000010000000-0x0000000010BBA000-memory.dmp

Filesize
11.7MB

Download