f1c8aa3fcb7d27a2d7f5645de0713803c181408c082a67c6ac24f7c3b76d3117

Resubmissions

12/06/2024, 20:59

12/06/2024, 20:51

12/06/2024, 20:47

max time kernel
103s
max time network
79s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 20:59

Target

ntmssvc.dll
Size

5.3MB
MD5

6588b099f03fc61bca79b987cfbcd897
SHA1

f3e30967ad67ef220512552dde22179c2b4af82e
SHA256

f1c8aa3fcb7d27a2d7f5645de0713803c181408c082a67c6ac24f7c3b76d3117
SHA512

3d842b58ea4df039e8d8311293421babe4bfb015159a7400ee8a19ee373a321d87e489c2fbd02fa8282d879d75fb8da50c9f9f912d31487706979134413545a4
SSDEEP

98304:p/PzxVvzRLIvECcaIj3Q9QL3dGVL7xaEY8jCZeKgq841zEdlUP9gu0IVDPS6kszs:B1VVOW3QSL3dGVlCgquIP9gHamzlX0c

Score

7^/10

vmprotect

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2212-14-0x000007FEF53C0000-0x000007FEF5C91000-memory.dmp	vmprotect
behavioral1/memory/2212-12-0x000007FEF53C0000-0x000007FEF5C91000-memory.dmp	vmprotect
behavioral1/memory/1844-16-0x000007FEF51F0000-0x000007FEF5AC1000-memory.dmp	vmprotect
behavioral1/memory/1844-31-0x000007FEF51F0000-0x000007FEF5AC1000-memory.dmp	vmprotect
behavioral1/memory/1844-30-0x000007FEF51F0000-0x000007FEF5AC1000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2212	rundll32.exe
1844	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1844	1740	cmd.exe	36
PID 1740 wrote to memory of 1844	1740	cmd.exe	36
PID 1740 wrote to memory of 1844	1740	cmd.exe	36
PID 1740 wrote to memory of 1880	1740	cmd.exe	37
PID 1740 wrote to memory of 1880	1740	cmd.exe	37
PID 1740 wrote to memory of 1880	1740	cmd.exe	37

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\rundll32.exe
  rundll32.exe ntmssvc.dll,ServiceMain
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1880

memory/1844-16-0x000007FEF51F0000-0x000007FEF5AC1000-memory.dmp

Filesize
8.8MB

Download
memory/1844-30-0x000007FEF51F0000-0x000007FEF5AC1000-memory.dmp

Filesize
8.8MB

Download
memory/1844-31-0x000007FEF51F0000-0x000007FEF5AC1000-memory.dmp

Filesize
8.8MB

Download
memory/1844-21-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download
memory/1844-26-0x0000000077940000-0x0000000077942000-memory.dmp

Filesize
8KB

Download
memory/2212-10-0x0000000077940000-0x0000000077942000-memory.dmp

Filesize
8KB

Download
memory/2212-0-0x000007FEF53DF000-0x000007FEF5749000-memory.dmp

Filesize
3.4MB

Download
memory/2212-14-0x000007FEF53C0000-0x000007FEF5C91000-memory.dmp

Filesize
8.8MB

Download
memory/2212-12-0x000007FEF53C0000-0x000007FEF5C91000-memory.dmp

Filesize
8.8MB

Download
memory/2212-15-0x000007FEF53C0000-0x000007FEF5C91000-memory.dmp

Filesize
8.8MB

Download
memory/2212-8-0x0000000077940000-0x0000000077942000-memory.dmp

Filesize
8KB

Download
memory/2212-6-0x0000000077940000-0x0000000077942000-memory.dmp

Filesize
8KB

Download
memory/2212-1-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download
memory/2212-3-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download
memory/2212-5-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download