0af6c657ed1f83d37794a81a079d9e7b105389ed83c9866e4fee3dc3339b10be

Analysis

max time kernel
34s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 03:29

Target

0af6c657ed1f83d37794a81a079d9e7b105389ed83c9866e4fee3dc3339b10be.dll
Size

16KB
MD5

5c1629e63a49a8a2b52f09101ccfcaea
SHA1

0e521635cebd5760f3b49d592f4fdd7d2b75c080
SHA256

0af6c657ed1f83d37794a81a079d9e7b105389ed83c9866e4fee3dc3339b10be
SHA512

270abd373c0520ce8ae01970745c427ea3a9cd53de2f614eb842974afe8874bb4973802066c4a860dece9309f14520068b4487e94768e4a3dc9b4ddc2c65b4cb
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzlh:SYW6rGpUIJmLNlXFbb

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1536-56-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1324	1536	WerFault.exe	26

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1536 wrote to memory of 1324	1536	rundll32.exe	27
PID 1536 wrote to memory of 1324	1536	rundll32.exe	27
PID 1536 wrote to memory of 1324	1536	rundll32.exe	27
PID 1536 wrote to memory of 1324	1536	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0af6c657ed1f83d37794a81a079d9e7b105389ed83c9866e4fee3dc3339b10be.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0af6c657ed1f83d37794a81a079d9e7b105389ed83c9866e4fee3dc3339b10be.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 228
    3⤵
    - Program crash
    PID:1324

memory/1324-57-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x0000000000000000-mapping.dmp

Download
memory/1536-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1536-56-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download