a58baed50fa0f3d2337f8ff61e3493a0523fa2749504c6ae20e3b94f28e28836

Analysis

max time kernel
90s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 17:21

Target

a58baed50fa0f3d2337f8ff61e3493a0523fa2749504c6ae20e3b94f28e28836.dll
Size

1.2MB
MD5

4300f7c96b86957e28f2bfe82107efa0
SHA1

cd47a74f1fa77878fc7abd9cb88cd1a750036d78
SHA256

a58baed50fa0f3d2337f8ff61e3493a0523fa2749504c6ae20e3b94f28e28836
SHA512

5b75048eb05826ada2fcc3a7ef0a2b83af647eb52c7694fe60c0ded3fd1632fb31721e757ec8853f9bcf25bbba1401872669d9b4295f2cfd7512d408a06568a3
SSDEEP

24576:ftRPOCAer4OgctCGBUnUYQSGc15342SxBxeCKtRATNtiQBxg0ITl:ft1Ae0o6b3iEOiQLhITl

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
5036	.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2864-145-0x0000000000400000-0x000000000057C000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	5036	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2864	4540	rundll32.exe	83
PID 4540 wrote to memory of 2864	4540	rundll32.exe	83
PID 4540 wrote to memory of 2864	4540	rundll32.exe	83
PID 2864 wrote to memory of 5036	2864	rundll32.exe	85
PID 2864 wrote to memory of 5036	2864	rundll32.exe	85
PID 2864 wrote to memory of 5036	2864	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a58baed50fa0f3d2337f8ff61e3493a0523fa2749504c6ae20e3b94f28e28836.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a58baed50fa0f3d2337f8ff61e3493a0523fa2749504c6ae20e3b94f28e28836.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\.exe
    C:\Users\Admin\AppData\Local\Temp\.exe
    3⤵
    - Executes dropped EXE
    PID:5036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 484
      4⤵
      Program crash
      PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5036 -ip 5036
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
855KB

MD5
e12a7f4eed02579ee03672d281df57f0

SHA1
2df26de94eae5f49f72e83eeddf9ce20c72e4924

SHA256
e0aa189855154cbc3fb64fcbdf5c4f9fd394bd229da7e63ed25e1aad10da69c5

SHA512
ec41b4268ab919d2fc7274051516d6a4593029cb55d579bdf3a7aa78e4757c7c3dab2fb1ec64e58476afb9b453d9bc90aa5d100d8f9a8d1a79765c5758761f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
855KB

MD5
e12a7f4eed02579ee03672d281df57f0

SHA1
2df26de94eae5f49f72e83eeddf9ce20c72e4924

SHA256
e0aa189855154cbc3fb64fcbdf5c4f9fd394bd229da7e63ed25e1aad10da69c5

SHA512
ec41b4268ab919d2fc7274051516d6a4593029cb55d579bdf3a7aa78e4757c7c3dab2fb1ec64e58476afb9b453d9bc90aa5d100d8f9a8d1a79765c5758761f80

Download Submit
memory/2864-136-0x0000000002710000-0x000000000273F000-memory.dmp

Filesize
188KB

Download
memory/2864-145-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2864-146-0x00000000026E0000-0x000000000270B000-memory.dmp

Filesize
172KB

Download
memory/5036-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5036-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download