8a005b30a4aba7b10a1146826a189d8ec240316464b5b45cdaed56272608bbc5

Analysis

max time kernel
140s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 00:15

Target

8a005b30a4aba7b10a1146826a189d8ec240316464b5b45cdaed56272608bbc5.dll
Size

244KB
MD5

75e6c5f90d12885e6ae103440f4ee500
SHA1

342cb45b2f28644c4029ae297450f28a684eadb3
SHA256

8a005b30a4aba7b10a1146826a189d8ec240316464b5b45cdaed56272608bbc5
SHA512

02225b2db94982671c5bd75ae7481d5e335f8e6e84dcb73c6b9bc2deb46f11e77548184ff3065ac58b48f01cefe9f8b36ef66491d7e81829e57b90f3e446f992
SSDEEP

3072:iHJ3uezIH4TwDnbU+VPBNiz2130BSuqPeBZuIvv2nxy4B0hw+Dc2c2C:tU4HHpB1jcZbvenxybG+pc2C

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1408	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000a000000022e01-134.dat	upx
behavioral2/files/0x000a000000022e01-135.dat	upx
behavioral2/memory/1408-137-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4604	1408	WerFault.exe	83
5016	4016	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4016	2968	rundll32.exe	82
PID 2968 wrote to memory of 4016	2968	rundll32.exe	82
PID 2968 wrote to memory of 4016	2968	rundll32.exe	82
PID 4016 wrote to memory of 1408	4016	rundll32.exe	83
PID 4016 wrote to memory of 1408	4016	rundll32.exe	83
PID 4016 wrote to memory of 1408	4016	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a005b30a4aba7b10a1146826a189d8ec240316464b5b45cdaed56272608bbc5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a005b30a4aba7b10a1146826a189d8ec240316464b5b45cdaed56272608bbc5.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 220
      4⤵
      Program crash
      PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 648
    3⤵
    - Program crash
    PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1408 -ip 1408
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4016 -ip 4016
1⤵
PID:4180

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
177KB

MD5
3057899a0737ff16ec205af279774bc3

SHA1
d845fc786a80680215fc7fdbaf359d0f6208ecb2

SHA256
ca004129badd533f7f0ec63e96dbead81b675da7794ce6ebb35cfa11c1f5de23

SHA512
4588c3c1229f02e542ccefab17b6a87fd7b6f1f516ab8643211f83502ec7e620d58c73de97dca11178b8c1a897be8c3497611655c7bb6d007fc545f050bd412d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
177KB

MD5
3057899a0737ff16ec205af279774bc3

SHA1
d845fc786a80680215fc7fdbaf359d0f6208ecb2

SHA256
ca004129badd533f7f0ec63e96dbead81b675da7794ce6ebb35cfa11c1f5de23

SHA512
4588c3c1229f02e542ccefab17b6a87fd7b6f1f516ab8643211f83502ec7e620d58c73de97dca11178b8c1a897be8c3497611655c7bb6d007fc545f050bd412d

Download Submit
memory/1408-137-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4016-136-0x0000000074930000-0x0000000074972000-memory.dmp

Filesize
264KB

Download