057d17a3a9fa5516c79c485649baf34e65faa93440aec2f8c7a369f5620a3c60

Analysis

max time kernel
61s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 16:10

Target

057d17a3a9fa5516c79c485649baf34e65faa93440aec2f8c7a369f5620a3c60.dll
Size

286KB
MD5

281f5fcf948fc41eebee87989c006d34
SHA1

56e3d628fae7dcb0e48e0de81ab12266ee4b6e2b
SHA256

057d17a3a9fa5516c79c485649baf34e65faa93440aec2f8c7a369f5620a3c60
SHA512

0ffcde252947d7341bfbb59d61dedd35857a7d55c5dc20c575d0e8a6bfd08924047a9bb158435e736d29ef9890d32fa51a29efb07fa280d3abb5e9dff55b7a42
SSDEEP

6144:WyzFztEd/FY8FFYwC2LNAuPZkzsj/JilOU+tkj1F9dS:FFztEd/FY8F6Z2UsgwUr5LE

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
5088	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000400000000072d-134.dat	upx
behavioral2/files/0x000400000000072d-135.dat	upx
behavioral2/memory/5088-137-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4676	2328	WerFault.exe	82
4644	5088	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2328	1796	rundll32.exe	82
PID 1796 wrote to memory of 2328	1796	rundll32.exe	82
PID 1796 wrote to memory of 2328	1796	rundll32.exe	82
PID 2328 wrote to memory of 5088	2328	rundll32.exe	83
PID 2328 wrote to memory of 5088	2328	rundll32.exe	83
PID 2328 wrote to memory of 5088	2328	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\057d17a3a9fa5516c79c485649baf34e65faa93440aec2f8c7a369f5620a3c60.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\057d17a3a9fa5516c79c485649baf34e65faa93440aec2f8c7a369f5620a3c60.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:5088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 264
      4⤵
      Program crash
      PID:4644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 648
    3⤵
    - Program crash
    PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2328 -ip 2328
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5088 -ip 5088
1⤵
PID:4692

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
c36096b199f87f6d3758ed7a152b79de

SHA1
21b7c7938eecc4ebdb8f4c69754ce50b696b9091

SHA256
14b99e4d4264c03a38badcdf5cf23c97b48b8c058fbf2a62d53af838a992d638

SHA512
27662bf69cdbbe6f8f7c9502fe6db48940beaf2b52bc82456b29ee0128ccf338e954aa2dacc22a9c417ec62be5c8af53393ea943901bf834ad515111c561a76e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
c36096b199f87f6d3758ed7a152b79de

SHA1
21b7c7938eecc4ebdb8f4c69754ce50b696b9091

SHA256
14b99e4d4264c03a38badcdf5cf23c97b48b8c058fbf2a62d53af838a992d638

SHA512
27662bf69cdbbe6f8f7c9502fe6db48940beaf2b52bc82456b29ee0128ccf338e954aa2dacc22a9c417ec62be5c8af53393ea943901bf834ad515111c561a76e

Download Submit
memory/2328-136-0x0000000074D20000-0x0000000074D85000-memory.dmp

Filesize
404KB

Download
memory/5088-137-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download