b5e61224db265addd676275e862f41d3732252109c28fc77af911ffd6c6f0a02

Analysis

max time kernel
133s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 12:06

Target

b5e61224db265addd676275e862f41d3732252109c28fc77af911ffd6c6f0a02.dll
Size

295KB
MD5

2ae32607c6b09020477b571ef1a9ac60
SHA1

e25eeb39feff465d3f6b258a013bbaf0903c35f4
SHA256

b5e61224db265addd676275e862f41d3732252109c28fc77af911ffd6c6f0a02
SHA512

484ca2df35ac2811eb678ffbfd1f01c89c1473e3a3fc21f80b4baae3ef16b4004b203183108abe7d550056418bad5ed06d365aea9b297bf163ba379f930c27e0
SSDEEP

3072:E7qxa8NoYr6w5S8o6epM++v/cfLWvPT8IvQIhFupyufsm53fioxrz0PWuHGBcwKd:E+vNoYYcvhvPpv7hgpy+pVfioxc+la

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
3688	rundll32mgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000a000000022e15-134.dat	upx
behavioral2/files/0x000a000000022e15-135.dat	upx
behavioral2/memory/3688-137-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3688-138-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4500	3688	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3452	4764	rundll32.exe	81
PID 4764 wrote to memory of 3452	4764	rundll32.exe	81
PID 4764 wrote to memory of 3452	4764	rundll32.exe	81
PID 3452 wrote to memory of 3688	3452	rundll32.exe	82
PID 3452 wrote to memory of 3688	3452	rundll32.exe	82
PID 3452 wrote to memory of 3688	3452	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5e61224db265addd676275e862f41d3732252109c28fc77af911ffd6c6f0a02.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5e61224db265addd676275e862f41d3732252109c28fc77af911ffd6c6f0a02.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 272
      4⤵
      Program crash
      PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3688 -ip 3688
1⤵
PID:4852

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
201KB

MD5
281b8e24fc062f50e31155b12df9678d

SHA1
9375588dd0442f8ef49282d46b1d72cfe080f30e

SHA256
6b89da851bd071f909df7ba1c5378e162ae0e517940afeff07817990101e0e29

SHA512
dc90e87c9d92c4620fb3f1222f09dd59e51d24b0c867f508c26305703ca83dc5357a10823f77ac1d026fe64b59729eee260c64a00398235b3a15e540a8460740

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
201KB

MD5
281b8e24fc062f50e31155b12df9678d

SHA1
9375588dd0442f8ef49282d46b1d72cfe080f30e

SHA256
6b89da851bd071f909df7ba1c5378e162ae0e517940afeff07817990101e0e29

SHA512
dc90e87c9d92c4620fb3f1222f09dd59e51d24b0c867f508c26305703ca83dc5357a10823f77ac1d026fe64b59729eee260c64a00398235b3a15e540a8460740

Download Submit
memory/3452-136-0x0000000010000000-0x0000000010290000-memory.dmp

Filesize
2.6MB

Download
memory/3688-137-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3688-138-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download