4b98b7f55bc074a018604a358c9c43a5b6055f92a8e24a837a013e6ea45581b0

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b98b7f55bc074a018604a358c9c43a5b6055f92a8e24a837a013e6ea45581b0.dll
Size

2.4MB
MD5

0a4d4e927727407bd003cea58af8d908
SHA1

0d90db610285e9e8bfb54336451655ab151ecdf4
SHA256

4b98b7f55bc074a018604a358c9c43a5b6055f92a8e24a837a013e6ea45581b0
SHA512

6e580c870d3a969e2553ad5529e6d897fbfa7b3c52466b6389887ea2b83876a3f71e9c3710b3f5713dfda303750d771db1903861a401db6797bfe67eaf02e230
SSDEEP

49152:XU3U+ZYmxjpv7x4GFM/+b8dTMNh9Wr73h7NXSWEqNJO5hYTVMCRisKEZsh:XiU2YmxjpDx4Zo8dYNh9q73h7NXYkRib

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e04-135.dat	upx
behavioral2/files/0x0009000000022e04-134.dat	upx
behavioral2/memory/2352-137-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2352	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mo999385.dl_	rundll32mgr.exe
File created	C:\Windows\SysWOW64\mo999385.dll	rundll32mgr.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	rundll32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4920	2268	WerFault.exe	82

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2352	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2268	3880	rundll32.exe	82
PID 3880 wrote to memory of 2268	3880	rundll32.exe	82
PID 3880 wrote to memory of 2268	3880	rundll32.exe	82
PID 2268 wrote to memory of 2352	2268	rundll32.exe	83
PID 2268 wrote to memory of 2352	2268	rundll32.exe	83
PID 2268 wrote to memory of 2352	2268	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b98b7f55bc074a018604a358c9c43a5b6055f92a8e24a837a013e6ea45581b0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b98b7f55bc074a018604a358c9c43a5b6055f92a8e24a837a013e6ea45581b0.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 624
    3⤵
    - Program crash
    PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2268 -ip 2268
1⤵
PID:5004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mo999385.dll

Filesize
80KB

MD5
9b02808f4e0b8a5e71a37949b6db062b

SHA1
715e45ad25db0fd7d2c1d856906637fd6467715c

SHA256
0c8f585418bce392ecbd330bae9a3535a4d92a2c9283e031024612935641cc30

SHA512
91844eb4490713c328704a0e4351fbce976a72136622b21f56fd9ae6f821eb5aa445c61ad07d885e67b126a2e66c3bb73d8e90bc305ffb48c94dcac650c6f415

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
208KB

MD5
30702b8be03ec73882ef9f700ca98d40

SHA1
acd19964125385bc817d50837bea8638461f3cb9

SHA256
5b78429264ff13ca4957824da80f17e7d4d5276b7aee5f5c6a61ae2bcf014734

SHA512
8ae82b394f3f8a25a84415aae950553bca76f8bcf4f45dcefebe7d00c1e66cd536671d0aa9143ee80d6e1cf69f1f500829f86119933212550856d239574848fe

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
208KB

MD5
30702b8be03ec73882ef9f700ca98d40

SHA1
acd19964125385bc817d50837bea8638461f3cb9

SHA256
5b78429264ff13ca4957824da80f17e7d4d5276b7aee5f5c6a61ae2bcf014734

SHA512
8ae82b394f3f8a25a84415aae950553bca76f8bcf4f45dcefebe7d00c1e66cd536671d0aa9143ee80d6e1cf69f1f500829f86119933212550856d239574848fe

Download Submit
memory/2268-139-0x0000000008000000-0x000000000826F000-memory.dmp

Filesize
2.4MB

Download
memory/2352-137-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2352-138-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download