6c02318ae65496c8b178affa6cce80a195fd5c4c9c46e8f0f93fcfa252ba49cb | Triage

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:00

Sharing

Report Analysis Logs

General

Target

temp7891.dll
Size

265KB
MD5

977047d8056727175987eefdfd8b2089
SHA1

26704c70f7f7cc9f5f328d36e2893a3bee9e1c77
SHA256

258699a2265e205a61df562424043f7f66fb192d695b5ae506a519e1ff3f458e
SHA512

f6a13b9e7ba6351a5ea28d160dead67a4aca99b95ecd1eacd666b3780182bbae13b761b451f4c87ac72ff5101fa3d19eae5694666ef3664ccb27e270426bb03f
SSDEEP

6144:S3FDUtUjbEbPdg6WdBIBbgmpLVfETmL3aQYny+:2FAebwu6AID3ET43aQn+

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral12/memory/2564-1-0x0000000010000000-0x0000000010086000-memory.dmp	vmprotect
behavioral12/memory/2564-0-0x0000000010000000-0x0000000010086000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2564	1560	rundll32.exe	14
PID 1560 wrote to memory of 2564	1560	rundll32.exe	14
PID 1560 wrote to memory of 2564	1560	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\temp7891.dll,#1
1⤵
PID:2564

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\temp7891.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-1-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2564-0-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download