d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 03:26

Target

d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Size

154KB
MD5

1c5909b8aa9e8dcf7c625a18879eaa9a
SHA1

29cfd468ee12d9746aeb935b8a30e7ee609ae3e5
SHA256

d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462
SHA512

b94ebf34fb81fc37564513a5671c2a936d9f5d3293ce5a8d451b41d857fd1c27d1b2e3efdfc48c39e1b66af6b57789d5115e79eaa10b170cf54f69011ed3bd09
SSDEEP

3072:GElIePztdwiyKaZP1Pgu6Pb7ZlSkBAU2J5mkAuPb14qla4o0aZu7vmEtazVjDo:JlR0iYV0fSiufmkAEh4qlaoa0zmE0zV3

Score

9^/10

Detects executables packed with VMProtect. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-1-0x0000000010000000-0x0000000010076000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2416-3-0x0000000010000000-0x0000000010076000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

behavioral1/memory/2416-1-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect
behavioral1/memory/2416-3-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

2416 rundll32.exe

resource	yara_rule
behavioral1/memory/2416-1-0x0000000010000000-0x0000000010076000-memory.dmp	vmprotect
behavioral1/memory/2416-3-0x0000000010000000-0x0000000010076000-memory.dmp	vmprotect

pid	process
2416	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 2416	1252	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#1
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2416

memory/2416-1-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download
memory/2416-0-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download
memory/2416-2-0x0000000010070000-0x0000000010071000-memory.dmp

Filesize
4KB

Download
memory/2416-3-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download