5304522c3f48984337f18133639815cab62f24ef25407c3a097fcecfc4b4ed9f

Analysis

max time kernel
225s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 08:28

Target

reviewer/beastly.dll
Size

628KB
MD5

21a58f232100acc74ca02cb4c9193981
SHA1

6eba26240da27fd706d30046f0645c5b6dc47957
SHA256

808cc617a65f9eeeecf7241b06ddeeaa6cfd9b23db30094169fd307c4607e16b
SHA512

32bda9d70937f608e3bef2c7a1c96759f6bdfd5a1fe242befd51ed4c847019def6090aeb0d4f356a05191bb293adc67588ec76ec843ef3877cf1b1a8f1e2f1fd
SSDEEP

12288:8x8IFmbH8yS5XXUrIVcxxK/5IOT2LY/O9bBoY//w:R6y8bRZAYhI/LoO9bBoY/4

Score

1^/10

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1700	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1368 wrote to memory of 1700	1368	rundll32.exe	27
PID 1700 wrote to memory of 932	1700	rundll32.exe	28
PID 1700 wrote to memory of 932	1700	rundll32.exe	28
PID 1700 wrote to memory of 932	1700	rundll32.exe	28
PID 1700 wrote to memory of 932	1700	rundll32.exe	28
PID 1700 wrote to memory of 932	1700	rundll32.exe	28
PID 1700 wrote to memory of 932	1700	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\reviewer\beastly.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\reviewer\beastly.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:932

memory/932-65-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/932-66-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1700-55-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/1700-57-0x0000000000930000-0x0000000000959000-memory.dmp

Filesize
164KB

Download
memory/1700-59-0x0000000000930000-0x0000000000959000-memory.dmp

Filesize
164KB

Download
memory/1700-58-0x0000000000930000-0x0000000000959000-memory.dmp

Filesize
164KB

Download
memory/1700-60-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1700-61-0x0000000000930000-0x0000000000959000-memory.dmp

Filesize
164KB

Download
memory/1700-64-0x0000000000930000-0x0000000000959000-memory.dmp

Filesize
164KB

Download