baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417

Analysis

max time kernel
164s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 12:05

Target

baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll
Size

922KB
MD5

69266422d558e7d94713d25dadded350
SHA1

6cdb1c2c853ad0e4663802673a006d233e82019a
SHA256

baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417
SHA512

fa721af30fac2fa7b4407363a7f72fc7a9ee76618ae5f119031d2498d51b55874fbb77c3531c56a1025b3a528ef0b094d51a46d3f367fb92a97c6861ca4b08de
SSDEEP

12288:53RWz/CTxoOAjzHljSA6cg8rPbSHYIkhEmEazstA+UinhcoqzJPYoO8lrS9Ehc96:zRbEluQYYIkhwazrQzqlP+9EhWwIg

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4276	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022e2a-135.dat	upx
behavioral2/files/0x0006000000022e2a-134.dat	upx
behavioral2/memory/4276-136-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4916	4276	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4224	544	rundll32.exe	81
PID 544 wrote to memory of 4224	544	rundll32.exe	81
PID 544 wrote to memory of 4224	544	rundll32.exe	81
PID 4224 wrote to memory of 4276	4224	rundll32.exe	82
PID 4224 wrote to memory of 4276	4224	rundll32.exe	82
PID 4224 wrote to memory of 4276	4224	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 264
      4⤵
      Program crash
      PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4276 -ip 4276
1⤵
PID:4300

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
173KB

MD5
77c5d1f7d9596e57a88f4dbcf3fef526

SHA1
fb265bb6a2cc331edb70b90d36d42ec6e61544ab

SHA256
d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

SHA512
4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
173KB

MD5
77c5d1f7d9596e57a88f4dbcf3fef526

SHA1
fb265bb6a2cc331edb70b90d36d42ec6e61544ab

SHA256
d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

SHA512
4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

Download Submit
memory/4276-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download