6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d

Analysis

max time kernel
162s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 03:27

Target

6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll
Size

596KB
MD5

7ba3161d629cc179412835c88c4500f7
SHA1

8773e6711a316100db0f319ee6decd9d433fab1e
SHA256

6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d
SHA512

7ac20b72505ffe2a3d4c09896dc3d41da18d9d199c045ba053cc85de276256d9a53eb5917be362c7b771089adff80603d74a2b68195f6e632ab66ff6b4414776
SSDEEP

12288:bXo450qjYthuCNIm/kqF6a2FjyHIDiroM3kN:y/ku6FjyHe+oM32

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4728	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0007000000022e05-135.dat	upx
behavioral2/memory/4728-137-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/files/0x0007000000022e05-136.dat	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4248	4468	WerFault.exe	83
4720	4728	WerFault.exe	85

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4468	4904	rundll32.exe	83
PID 4904 wrote to memory of 4468	4904	rundll32.exe	83
PID 4904 wrote to memory of 4468	4904	rundll32.exe	83
PID 4468 wrote to memory of 4728	4468	rundll32.exe	85
PID 4468 wrote to memory of 4728	4468	rundll32.exe	85
PID 4468 wrote to memory of 4728	4468	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 264
      4⤵
      Program crash
      PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 696
    3⤵
    - Program crash
    PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 4728
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4468 -ip 4468
1⤵
PID:2352

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
221KB

MD5
ce0c184845b7fcfffeb671f7f992a177

SHA1
41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

SHA256
2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

SHA512
f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
221KB

MD5
ce0c184845b7fcfffeb671f7f992a177

SHA1
41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

SHA256
2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

SHA512
f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

Download Submit
memory/4468-133-0x0000000010000000-0x00000000126CD000-memory.dmp

Filesize
38.8MB

Download
memory/4468-138-0x0000000010000000-0x00000000126CD000-memory.dmp

Filesize
38.8MB

Download
memory/4728-137-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download