2b959bf862d9fbe941e979007f317ac1dba4f8af962aadfc2f1b451792784337

Analysis

max time kernel
77s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 19:38

Target

2b959bf862d9fbe941e979007f317ac1dba4f8af962aadfc2f1b451792784337.dll
Size

308KB
MD5

00730544f0f9202fa7d10d9c4f21a360
SHA1

2178442bc2ac04b4256515085ee1aef420ddfac4
SHA256

2b959bf862d9fbe941e979007f317ac1dba4f8af962aadfc2f1b451792784337
SHA512

9f07237dc41f91cbf01de47a7c2869bdf3c49fe6267645c9a43f87d21cd69387dfad574a1cfdf3a3f94fcbe8f6730347a6f540fdc727e24a3707da160f34dad8
SSDEEP

6144:yriT2hMLaWJLmxR62jWkhnMvcUKL39AmcxOWlsuoi2vX:3LaYWRKklocUY32xbyzX

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
5064	rundll32mgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0008000000022e5b-134.dat	upx
behavioral2/files/0x0008000000022e5b-135.dat	upx
behavioral2/memory/5064-137-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral2/memory/5064-138-0x0000000000400000-0x0000000000480000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	5064	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1124	4740	rundll32.exe	82
PID 4740 wrote to memory of 1124	4740	rundll32.exe	82
PID 4740 wrote to memory of 1124	4740	rundll32.exe	82
PID 1124 wrote to memory of 5064	1124	rundll32.exe	83
PID 1124 wrote to memory of 5064	1124	rundll32.exe	83
PID 1124 wrote to memory of 5064	1124	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b959bf862d9fbe941e979007f317ac1dba4f8af962aadfc2f1b451792784337.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b959bf862d9fbe941e979007f317ac1dba4f8af962aadfc2f1b451792784337.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:5064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 520
      4⤵
      Program crash
      PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
1⤵
PID:624

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
184KB

MD5
9f1d413bad8c2ae51dae797bff0b471f

SHA1
1f284c735287387461666f30926afc3746609877

SHA256
ac914d391e854a0a7896944819fedb3eb2d1be4f34e3478abce2a4129a1f8845

SHA512
eaaa8499ce71d0f27912c2a194e62e9a9660602f9488503688d21fa9efc45a448a8e011c8bbb1feeca0b2fc25789362a2cc6069062e78e688abc0aa26e8b70c5

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
184KB

MD5
9f1d413bad8c2ae51dae797bff0b471f

SHA1
1f284c735287387461666f30926afc3746609877

SHA256
ac914d391e854a0a7896944819fedb3eb2d1be4f34e3478abce2a4129a1f8845

SHA512
eaaa8499ce71d0f27912c2a194e62e9a9660602f9488503688d21fa9efc45a448a8e011c8bbb1feeca0b2fc25789362a2cc6069062e78e688abc0aa26e8b70c5

Download Submit
memory/1124-136-0x0000000010000000-0x0000000010096000-memory.dmp

Filesize
600KB

Download
memory/5064-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5064-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download