77fb5f33beadbc1d7915ee35c8059ccc6805989e115f3fe4829edd6813107c51

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 17:34

Target

313f8e5e0e7f600ee71eb44f324660e7.dll
Size

378KB
MD5

313f8e5e0e7f600ee71eb44f324660e7
SHA1

1eda3909797eb52f78788a191d56d91548c5bcfe
SHA256

77fb5f33beadbc1d7915ee35c8059ccc6805989e115f3fe4829edd6813107c51
SHA512

357232be454a9501e886c8d42e3db5c2fe0cb7433d3aa2ed091c5db71c985decff15cde18ed42055bd032c31d501dbc4da931a7950f767ce52529b53a72d121c
SSDEEP

6144:+wTK861cZgXkf2ehYGw8lrIbBsYMhQR4cFKtK6MpQIPZqTTHGfwXZaU9Ixe2auWq:FTK861chf19w04B+hQGcwK6qQIPZq3Gv

Score

7^/10

vmprotect

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3064-0-0x0000000010000000-0x00000000100C7000-memory.dmp	vmprotect
behavioral2/memory/3064-1-0x0000000010000000-0x00000000100C7000-memory.dmp	vmprotect
behavioral2/memory/3064-2-0x0000000010000000-0x00000000100C7000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3064	5056	rundll32.exe	16
PID 5056 wrote to memory of 3064	5056	rundll32.exe	16
PID 5056 wrote to memory of 3064	5056	rundll32.exe	16

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\313f8e5e0e7f600ee71eb44f324660e7.dll,#1
1⤵
PID:3064

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\313f8e5e0e7f600ee71eb44f324660e7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5056

memory/3064-0-0x0000000010000000-0x00000000100C7000-memory.dmp

Filesize
796KB

Download
memory/3064-1-0x0000000010000000-0x00000000100C7000-memory.dmp

Filesize
796KB

Download
memory/3064-2-0x0000000010000000-0x00000000100C7000-memory.dmp

Filesize
796KB

Download