32d346d89b91d4bfb3a1a98c3734db97fe7e39d4fc7f4800d3be032088e46343

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 19:37

Target

bnbz.tk/xtw.dll
Size

708KB
MD5

ee581add0d7464a5b4669370dc3b6c05
SHA1

b6f14f6f80ef64b214f6058763957fbd8179a739
SHA256

031ea8eef77d78b8ac2a2c0c9a145ddbf7d5b80bce745f330cd0df2bb5ba9a23
SHA512

ea2753f10838e93cb42cc61da1ab3a9676cd240ccc7ceaaa1b69dd1a284a78790a9bf6736707b69cb5287998226f4f4df1dbcf97752674584a783289d7828f84
SSDEEP

12288:dIOVtmdEa4678+sGUf0TIU745cDgZ2ohuvbmtEvUmrAujZ35PM+XCJ5:+O/Jw78+j45cDgtAvSivJrLjZ31M+

Score

7^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral4/memory/3992-0-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect
behavioral4/memory/3992-1-0x0000000010000000-0x00000000101BA000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3992	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3992	5012	rundll32.exe	12
PID 5012 wrote to memory of 3992	5012	rundll32.exe	12
PID 5012 wrote to memory of 3992	5012	rundll32.exe	12

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bnbz.tk\xtw.dll,#1
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3992

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bnbz.tk\xtw.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

memory/3992-0-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3992-1-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download