866abe98b46b6fd62adb6c193f912a4d7e314f58fc12a0e816a02fa16173ade0

Analysis

max time kernel
134s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

866abe98b46b6fd62adb6c193f912a4d7e314f58fc12a0e816a02fa16173ade0.dll
Size

248KB
MD5

96c25b4d1c535f93926be00954803050
SHA1

b7cd2904600a40324083e5a717990f2f525f73d0
SHA256

866abe98b46b6fd62adb6c193f912a4d7e314f58fc12a0e816a02fa16173ade0
SHA512

d8c9c08904f1cbdc2dad99ef8eba00d3b5f31cbdccf1498dfdcfee73554e0e6bdaca672afe9f59516ed5b6972241958cf6fed5603ca0bcf8307a2e7b7e6dda54
SSDEEP

3072:tWJxBAtW4kJ3kZ05RObSyK4H2XFSleNMnFPZXf1Xub5sWADEd1HA5CF:tW1/4kBkZEhDMcMv4wEd1HA8F

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2960	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000021b42-134.dat	upx
behavioral2/files/0x0002000000021b42-135.dat	upx
behavioral2/memory/2960-137-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4220	3672	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	rundll32mgr.exe
2960	rundll32mgr.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe
2960	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	rundll32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3672	4740	rundll32.exe	80
PID 4740 wrote to memory of 3672	4740	rundll32.exe	80
PID 4740 wrote to memory of 3672	4740	rundll32.exe	80
PID 3672 wrote to memory of 2960	3672	rundll32.exe	81
PID 3672 wrote to memory of 2960	3672	rundll32.exe	81
PID 3672 wrote to memory of 2960	3672	rundll32.exe	81
PID 2960 wrote to memory of 592	2960	rundll32mgr.exe	3
PID 2960 wrote to memory of 592	2960	rundll32mgr.exe	3
PID 2960 wrote to memory of 592	2960	rundll32mgr.exe	3
PID 2960 wrote to memory of 592	2960	rundll32mgr.exe	3
PID 2960 wrote to memory of 592	2960	rundll32mgr.exe	3
PID 2960 wrote to memory of 592	2960	rundll32mgr.exe	3
PID 2960 wrote to memory of 672	2960	rundll32mgr.exe	1
PID 2960 wrote to memory of 672	2960	rundll32mgr.exe	1
PID 2960 wrote to memory of 672	2960	rundll32mgr.exe	1
PID 2960 wrote to memory of 672	2960	rundll32mgr.exe	1
PID 2960 wrote to memory of 672	2960	rundll32mgr.exe	1
PID 2960 wrote to memory of 672	2960	rundll32mgr.exe	1
PID 2960 wrote to memory of 784	2960	rundll32mgr.exe	8
PID 2960 wrote to memory of 784	2960	rundll32mgr.exe	8
PID 2960 wrote to memory of 784	2960	rundll32mgr.exe	8
PID 2960 wrote to memory of 784	2960	rundll32mgr.exe	8
PID 2960 wrote to memory of 784	2960	rundll32mgr.exe	8
PID 2960 wrote to memory of 784	2960	rundll32mgr.exe	8
PID 2960 wrote to memory of 788	2960	rundll32mgr.exe	9
PID 2960 wrote to memory of 788	2960	rundll32mgr.exe	9
PID 2960 wrote to memory of 788	2960	rundll32mgr.exe	9
PID 2960 wrote to memory of 788	2960	rundll32mgr.exe	9
PID 2960 wrote to memory of 788	2960	rundll32mgr.exe	9
PID 2960 wrote to memory of 788	2960	rundll32mgr.exe	9
PID 2960 wrote to memory of 800	2960	rundll32mgr.exe	79
PID 2960 wrote to memory of 800	2960	rundll32mgr.exe	79
PID 2960 wrote to memory of 800	2960	rundll32mgr.exe	79
PID 2960 wrote to memory of 800	2960	rundll32mgr.exe	79
PID 2960 wrote to memory of 800	2960	rundll32mgr.exe	79
PID 2960 wrote to memory of 800	2960	rundll32mgr.exe	79
PID 2960 wrote to memory of 908	2960	rundll32mgr.exe	16
PID 2960 wrote to memory of 908	2960	rundll32mgr.exe	16
PID 2960 wrote to memory of 908	2960	rundll32mgr.exe	16
PID 2960 wrote to memory of 908	2960	rundll32mgr.exe	16
PID 2960 wrote to memory of 908	2960	rundll32mgr.exe	16
PID 2960 wrote to memory of 908	2960	rundll32mgr.exe	16
PID 2960 wrote to memory of 956	2960	rundll32mgr.exe	15
PID 2960 wrote to memory of 956	2960	rundll32mgr.exe	15
PID 2960 wrote to memory of 956	2960	rundll32mgr.exe	15
PID 2960 wrote to memory of 956	2960	rundll32mgr.exe	15
PID 2960 wrote to memory of 956	2960	rundll32mgr.exe	15
PID 2960 wrote to memory of 956	2960	rundll32mgr.exe	15
PID 2960 wrote to memory of 376	2960	rundll32mgr.exe	10
PID 2960 wrote to memory of 376	2960	rundll32mgr.exe	10
PID 2960 wrote to memory of 376	2960	rundll32mgr.exe	10
PID 2960 wrote to memory of 376	2960	rundll32mgr.exe	10
PID 2960 wrote to memory of 376	2960	rundll32mgr.exe	10
PID 2960 wrote to memory of 376	2960	rundll32mgr.exe	10
PID 2960 wrote to memory of 540	2960	rundll32mgr.exe	11
PID 2960 wrote to memory of 540	2960	rundll32mgr.exe	11
PID 2960 wrote to memory of 540	2960	rundll32mgr.exe	11
PID 2960 wrote to memory of 540	2960	rundll32mgr.exe	11
PID 2960 wrote to memory of 540	2960	rundll32mgr.exe	11
PID 2960 wrote to memory of 540	2960	rundll32mgr.exe	11
PID 2960 wrote to memory of 688	2960	rundll32mgr.exe	12
PID 2960 wrote to memory of 688	2960	rundll32mgr.exe	12
PID 2960 wrote to memory of 688	2960	rundll32mgr.exe	12
PID 2960 wrote to memory of 688	2960	rundll32mgr.exe	12

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:592
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:784
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1100
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1396
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2660

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2132
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\866abe98b46b6fd62adb6c193f912a4d7e314f58fc12a0e816a02fa16173ade0.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\866abe98b46b6fd62adb6c193f912a4d7e314f58fc12a0e816a02fa16173ade0.dll,#1
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 696
      4⤵
      Program crash
      PID:4220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4716

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1864

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3012

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2532

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1700

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3672 -ip 3672
1⤵
PID:4100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
159KB

MD5
83c41b87a9cb13dbfe45bebc525fb9c6

SHA1
d5f93325b8dee5b3bb6af31532631044b6a9ad8a

SHA256
20ff9d36447c839fef85afff0f83513089546a0019bc9fb562a0be2b4d456f2b

SHA512
3ebe9b26945491d403ecb05437d610ca978053e4571ff8f9d75afcfd62ba23d68cdb65c22c0366d8c867461fd85894710028f28aeb3d4e1b40e884e32951a45e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
159KB

MD5
83c41b87a9cb13dbfe45bebc525fb9c6

SHA1
d5f93325b8dee5b3bb6af31532631044b6a9ad8a

SHA256
20ff9d36447c839fef85afff0f83513089546a0019bc9fb562a0be2b4d456f2b

SHA512
3ebe9b26945491d403ecb05437d610ca978053e4571ff8f9d75afcfd62ba23d68cdb65c22c0366d8c867461fd85894710028f28aeb3d4e1b40e884e32951a45e

Download Submit
memory/2960-137-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3672-136-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3672-138-0x000000007FE10000-0x000000007FE1C000-memory.dmp

Filesize
48KB

Download