12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 12:24

Target

12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee.dll
Size

113KB
MD5

2bbb1c2bcb43c09f62c793b87ceee67d
SHA1

854a7ef6c76992ef986a26ae1fd1ea942abac659
SHA256

12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee
SHA512

4b35d3466429077e34587c37c0ab90ff41b9be4bac8e6bfcaf6a2ad29afccc49a4f2b0121ea8a0fa30f852e9a7eefc25f9c7147b7f37283e3d23d6ec9a6086a5
SSDEEP

3072:dwUfOBjVrYMgjXzzABvnrrUMyTc1ZvDNVQprMx95tMLdXqZLYW:dBWBjKDXzzAN8MyTc1ZvDNVQprMx95tJ

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1476	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0007000000022f48-134.dat	upx
behavioral2/files/0x0007000000022f48-135.dat	upx
behavioral2/memory/1476-137-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4120	1476	WerFault.exe	84

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 5048	2232	rundll32.exe	83
PID 2232 wrote to memory of 5048	2232	rundll32.exe	83
PID 2232 wrote to memory of 5048	2232	rundll32.exe	83
PID 5048 wrote to memory of 1476	5048	rundll32.exe	84
PID 5048 wrote to memory of 1476	5048	rundll32.exe	84
PID 5048 wrote to memory of 1476	5048	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 220
      4⤵
      Program crash
      PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1476 -ip 1476
1⤵
PID:1236

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
9b49fec7e03c33277f188a2819b8d726

SHA1
a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SHA512
049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
9b49fec7e03c33277f188a2819b8d726

SHA1
a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SHA512
049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

Download Submit
memory/1476-137-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5048-136-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download