809d1ab76c4e88b1124324b6d474bc26b9c2997ef68f2b414d03063055a7de82

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 17:22

Target

809d1ab76c4e88b1124324b6d474bc26b9c2997ef68f2b414d03063055a7de82.dll
Size

403KB
MD5

80cb6c7db556258fe8eb321c78e694cb
SHA1

fcc284ea4bb433be29c847f86722ee564b6f733c
SHA256

809d1ab76c4e88b1124324b6d474bc26b9c2997ef68f2b414d03063055a7de82
SHA512

9865f83b9414111623807674a5a73d5ffba07f88b7fc508c6516c2d29df00b87e4c5c28e1c2dc6da36c5ed02b243b666263493128e49e21e23721d61fd909909
SSDEEP

12288:ktKItUUsDaRPCalxEiNLJjN4Djpnl+qsJ/gdh+:2K4rIalGeLZN4Pyp/g+

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1808-57-0x0000000000990000-0x0000000000AA0000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
832	1808	WerFault.exe	27

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1808	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1324 wrote to memory of 1808	1324	rundll32.exe	27
PID 1808 wrote to memory of 832	1808	rundll32.exe	28
PID 1808 wrote to memory of 832	1808	rundll32.exe	28
PID 1808 wrote to memory of 832	1808	rundll32.exe	28
PID 1808 wrote to memory of 832	1808	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\809d1ab76c4e88b1124324b6d474bc26b9c2997ef68f2b414d03063055a7de82.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\809d1ab76c4e88b1124324b6d474bc26b9c2997ef68f2b414d03063055a7de82.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 224
    3⤵
    - Program crash
    PID:832

memory/1808-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1808-57-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download