1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026

Analysis

max time kernel
120s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 12:24

Target

1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026.dll
Size

14.6MB
MD5

6eaf6f6a28b0cae784a04a59c36a102b
SHA1

63ccbdf14e6621c98ada7e4228c7b100c4850e16
SHA256

1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026
SHA512

e5490f763ffab322f1e98ad342474cb1a168d3d740d628ab1982a5516b0456af406d68c307255566249e2480d84bb3f0097d31fc4596b8b2f443dcfd92513d0e
SSDEEP

196608:4RPoqFr6cC5APwjHD+nqNFneTLIOMNjKdeNeC6JVc5g4C/GdAsMD0xwr:yoer6nnjHFneTLIOMwUNP6b

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4852	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000b000000022f55-135.dat	upx
behavioral2/files/0x000b000000022f55-136.dat	upx
behavioral2/memory/4852-137-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2892	4852	WerFault.exe	84
4088	4736	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4736	4660	rundll32.exe	83
PID 4660 wrote to memory of 4736	4660	rundll32.exe	83
PID 4660 wrote to memory of 4736	4660	rundll32.exe	83
PID 4736 wrote to memory of 4852	4736	rundll32.exe	84
PID 4736 wrote to memory of 4852	4736	rundll32.exe	84
PID 4736 wrote to memory of 4852	4736	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 264
      4⤵
      Program crash
      PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 680
    3⤵
    - Program crash
    PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 4852
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4736 -ip 4736
1⤵
PID:1696

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
206KB

MD5
71a0cc521d70fca7e86fba2b799e54e3

SHA1
689ab159541c45d738be7329918808c1c1e58050

SHA256
e13ad23118da481600ad8e4ffd4d5e060eeb23da05eeffcd299c2cdcfa3dc023

SHA512
6da749226ddc085a8d04a8bdd3c30a0476257673c1489281301dc3204cc32fae6740e5b4368f8bc53d882ae7415034bf9dc98247504425e7c815387578796952

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
206KB

MD5
71a0cc521d70fca7e86fba2b799e54e3

SHA1
689ab159541c45d738be7329918808c1c1e58050

SHA256
e13ad23118da481600ad8e4ffd4d5e060eeb23da05eeffcd299c2cdcfa3dc023

SHA512
6da749226ddc085a8d04a8bdd3c30a0476257673c1489281301dc3204cc32fae6740e5b4368f8bc53d882ae7415034bf9dc98247504425e7c815387578796952

Download Submit
memory/4736-133-0x0000000010000000-0x0000000010EA3000-memory.dmp

Filesize
14.6MB

Download
memory/4736-138-0x0000000010000000-0x0000000010EA3000-memory.dmp

Filesize
14.6MB

Download
memory/4852-137-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download