394bcd336610f19862c4faa3a2203df4849c55a083c25bec73f83bc696de19d2

Analysis

max time kernel
77s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 03:29

Target

394bcd336610f19862c4faa3a2203df4849c55a083c25bec73f83bc696de19d2.dll
Size

132KB
MD5

544b5a6777a6d11201517bd997507cdf
SHA1

bdf58c8ab977075f096cf1bd4643f9c9a7ce8cfb
SHA256

394bcd336610f19862c4faa3a2203df4849c55a083c25bec73f83bc696de19d2
SHA512

5e4da3f1963750956e8bebd80880b31b0e2f1489a8fe6409890d2f6c204d1d893baffe8db6f3a7dc60e95926c67ad06f8004db5503fc58a8c73d48aa37dfa6cb
SSDEEP

1536:RibToqp78CcIGitlz+9ZxNPShtr9jOH5fit6f9qy46F+LNLv:RibTTp78CcxizSxNP8OZfitqTPwZb

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4504	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0007000000022f6b-134.dat	upx
behavioral2/files/0x0007000000022f6b-135.dat	upx
behavioral2/memory/4504-137-0x0000000000400000-0x0000000000441000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3816	4504	WerFault.exe	82
2416	4012	WerFault.exe	81

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4012	4644	rundll32.exe	81
PID 4644 wrote to memory of 4012	4644	rundll32.exe	81
PID 4644 wrote to memory of 4012	4644	rundll32.exe	81
PID 4012 wrote to memory of 4504	4012	rundll32.exe	82
PID 4012 wrote to memory of 4504	4012	rundll32.exe	82
PID 4012 wrote to memory of 4504	4012	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\394bcd336610f19862c4faa3a2203df4849c55a083c25bec73f83bc696de19d2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\394bcd336610f19862c4faa3a2203df4849c55a083c25bec73f83bc696de19d2.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 268
      4⤵
      Program crash
      PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 608
    3⤵
    - Program crash
    PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 4504
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4012 -ip 4012
1⤵
PID:2540

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
94KB

MD5
f6736faa3126f64ed4a7109e40c47806

SHA1
0d50917f44d6e173bac24916c95343616dcbf18c

SHA256
bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874

SHA512
29cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
94KB

MD5
f6736faa3126f64ed4a7109e40c47806

SHA1
0d50917f44d6e173bac24916c95343616dcbf18c

SHA256
bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874

SHA512
29cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5

Download Submit
memory/4012-136-0x000000006D080000-0x000000006D0A1000-memory.dmp

Filesize
132KB

Download
memory/4504-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download