97c4197cf1bf924bdd1f27db07905fcdaa2b8d4778fae44bb121e9db3b9a9bbc

Analysis

max time kernel
94s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 04:52

Target

97c4197cf1bf924bdd1f27db07905fcdaa2b8d4778fae44bb121e9db3b9a9bbc.dll
Size

964KB
MD5

5abb674e25e95b11a84036580bd5eb95
SHA1

072104cb6a954e0d6b11fee89ff288bd19082f68
SHA256

97c4197cf1bf924bdd1f27db07905fcdaa2b8d4778fae44bb121e9db3b9a9bbc
SHA512

ce479fb45268ce68425694e1c151265ab0634d97aacbcf7f044b9d06fe0ab6747adb0adde49eea56c41502915e61e7a30111eb8a034404e7b41c9b5ff669e2d8
SSDEEP

24576:ydtvig4EWCLljkwVABNzleCOEpnDtm6oC2yjrBzN6C:yd5ig4PCLljkwVABNzl3OEpxm6PZjFzj

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2192	regsvr32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0009000000022f42-134.dat	upx
behavioral2/files/0x0009000000022f42-135.dat	upx
behavioral2/memory/2192-137-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1380	2192	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4904	4844	regsvr32.exe	82
PID 4844 wrote to memory of 4904	4844	regsvr32.exe	82
PID 4844 wrote to memory of 4904	4844	regsvr32.exe	82
PID 4904 wrote to memory of 2192	4904	regsvr32.exe	83
PID 4904 wrote to memory of 2192	4904	regsvr32.exe	83
PID 4904 wrote to memory of 2192	4904	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\97c4197cf1bf924bdd1f27db07905fcdaa2b8d4778fae44bb121e9db3b9a9bbc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\97c4197cf1bf924bdd1f27db07905fcdaa2b8d4778fae44bb121e9db3b9a9bbc.dll
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 264
      4⤵
      Program crash
      PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2192 -ip 2192
1⤵
PID:4484

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
220KB

MD5
1b7fc3fa0a84470506c3028b48a5f04d

SHA1
3fa9f258fd20c92c0dd366f1520d44f61e236d3b

SHA256
9f62f582fc02ae7b3b5df9a8a90718a80773eed10828014cee2a938976ab056b

SHA512
1259215288d11be9493abc5d9babec8ff2563be3ed1aaf47fbda3f5832d7604f4f5956d09a06854ff133fb9e0971ac398966c46c743dee3f0aead6a2d0901c19

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
220KB

MD5
1b7fc3fa0a84470506c3028b48a5f04d

SHA1
3fa9f258fd20c92c0dd366f1520d44f61e236d3b

SHA256
9f62f582fc02ae7b3b5df9a8a90718a80773eed10828014cee2a938976ab056b

SHA512
1259215288d11be9493abc5d9babec8ff2563be3ed1aaf47fbda3f5832d7604f4f5956d09a06854ff133fb9e0971ac398966c46c743dee3f0aead6a2d0901c19

Download Submit
memory/2192-137-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4904-136-0x0000000010000000-0x0000000010109000-memory.dmp

Filesize
1.0MB

Download