acab0388070b8034bbcb4e866bd40c6055d41c1b1a95a8105d245bf5a5581165

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:31

Target

acab0388070b8034bbcb4e866bd40c6055d41c1b1a95a8105d245bf5a5581165.dll
Size

5.3MB
MD5

488d467405003e467a1e08fe8d6c28ea
SHA1

d1064a03cff8d2e754228ef3c7c599ed252d06f2
SHA256

acab0388070b8034bbcb4e866bd40c6055d41c1b1a95a8105d245bf5a5581165
SHA512

f97acf71f88396ba8b1f6979b6b2f0f429ade726e921f2a59f00cf71999806bbc4780f4093c67fd5ce2c040490a9213a4c93ebe1568b6c73d577691615223cb4
SSDEEP

98304:R4Qg8v1e2Et6F7OnzGDzbtZFDV4din3QPesrQHKtnOB/6owPBgfXYZT+/:up8tePn2zxZb4dcAGsrQ8FowPBgwB+/

Score

7^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/3036-5-0x0000000073630000-0x0000000073E8F000-memory.dmp	vmprotect
behavioral1/memory/3036-8-0x0000000073630000-0x0000000073E8F000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3036 rundll32.exe
3036 rundll32.exe

pid	process
3036	rundll32.exe
3036	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 3036	2368	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acab0388070b8034bbcb4e866bd40c6055d41c1b1a95a8105d245bf5a5581165.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\acab0388070b8034bbcb4e866bd40c6055d41c1b1a95a8105d245bf5a5581165.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

memory/3036-2-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3036-0-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3036-4-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3036-6-0x0000000073636000-0x000000007394C000-memory.dmp

Filesize
3.1MB

Download
memory/3036-5-0x0000000073630000-0x0000000073E8F000-memory.dmp

Filesize
8.4MB

Download
memory/3036-7-0x0000000073636000-0x000000007394C000-memory.dmp

Filesize
3.1MB

Download
memory/3036-8-0x0000000073630000-0x0000000073E8F000-memory.dmp

Filesize
8.4MB

Download