Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 03:26
Behavioral task
behavioral1
Sample
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Resource
win10v2004-20240508-en
General
-
Target
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
-
Size
154KB
-
MD5
1c5909b8aa9e8dcf7c625a18879eaa9a
-
SHA1
29cfd468ee12d9746aeb935b8a30e7ee609ae3e5
-
SHA256
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462
-
SHA512
b94ebf34fb81fc37564513a5671c2a936d9f5d3293ce5a8d451b41d857fd1c27d1b2e3efdfc48c39e1b66af6b57789d5115e79eaa10b170cf54f69011ed3bd09
-
SSDEEP
3072:GElIePztdwiyKaZP1Pgu6Pb7ZlSkBAU2J5mkAuPb14qla4o0aZu7vmEtazVjDo:JlR0iYV0fSiufmkAEh4qlaoa0zmE0zV3
Malware Config
Signatures
-
Detects executables packed with VMProtect. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/448-0-0x0000000010000000-0x0000000010076000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/448-2-0x0000000010000000-0x0000000010076000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Processes:
resource yara_rule behavioral2/memory/448-0-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect behavioral2/memory/448-2-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 448 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 672 wrote to memory of 448 672 rundll32.exe rundll32.exe PID 672 wrote to memory of 448 672 rundll32.exe rundll32.exe PID 672 wrote to memory of 448 672 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger