32d346d89b91d4bfb3a1a98c3734db97fe7e39d4fc7f4800d3be032088e46343

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:37

Target

bnbz.tk/xtw.dll
Size

708KB
MD5

ee581add0d7464a5b4669370dc3b6c05
SHA1

b6f14f6f80ef64b214f6058763957fbd8179a739
SHA256

031ea8eef77d78b8ac2a2c0c9a145ddbf7d5b80bce745f330cd0df2bb5ba9a23
SHA512

ea2753f10838e93cb42cc61da1ab3a9676cd240ccc7ceaaa1b69dd1a284a78790a9bf6736707b69cb5287998226f4f4df1dbcf97752674584a783289d7828f84
SSDEEP

12288:dIOVtmdEa4678+sGUf0TIU745cDgZ2ohuvbmtEvUmrAujZ35PM+XCJ5:+O/Jw78+j45cDgtAvSivJrLjZ31M+

Score

7^/10

vmprotect

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral3/memory/2916-0-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect
behavioral3/memory/2916-1-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect
behavioral3/memory/2916-2-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect
behavioral3/memory/2916-3-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect
behavioral3/memory/2916-4-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2916	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	rundll32.exe
2916	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28
PID 3048 wrote to memory of 2916	3048	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bnbz.tk\xtw.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bnbz.tk\xtw.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

memory/2916-0-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2916-1-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2916-2-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2916-3-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2916-4-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download