2086540f09b320b9d41a4c8df34572ab98e1627cfedcdc2a28a1d4561045b3b0

Analysis

max time kernel
86s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 17:36

Target

2086540f09b320b9d41a4c8df34572ab98e1627cfedcdc2a28a1d4561045b3b0.dll
Size

560KB
MD5

843ba6d40b15855549df4e5707015af6
SHA1

31e73a8c066dadbf05e66980403f11b440e28d82
SHA256

2086540f09b320b9d41a4c8df34572ab98e1627cfedcdc2a28a1d4561045b3b0
SHA512

ead2058d3b8216f3e0ebbbc907f3eafb4755dd513cb967016826070b345471a7a9b44c4de5ab2935d9bc7da0a6c7393d61f3d08336731f7f7790dbeb756cb737
SSDEEP

12288:J7aNeM6++h2NSjPRKcLui5U1Im3pHQCaOOfH:g6++h2NSj5KcLuik9IhH

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4380	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4528	4380	WerFault.exe	83
4112	4380	WerFault.exe	83

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3488	4912	rundll32.exe	80
PID 4912 wrote to memory of 3488	4912	rundll32.exe	80
PID 4912 wrote to memory of 3488	4912	rundll32.exe	80
PID 3488 wrote to memory of 4380	3488	rundll32.exe	83
PID 3488 wrote to memory of 4380	3488	rundll32.exe	83
PID 3488 wrote to memory of 4380	3488	rundll32.exe	83
PID 4380 wrote to memory of 4528	4380	rundll32mgr.exe	86
PID 4380 wrote to memory of 4528	4380	rundll32mgr.exe	86
PID 4380 wrote to memory of 4528	4380	rundll32mgr.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2086540f09b320b9d41a4c8df34572ab98e1627cfedcdc2a28a1d4561045b3b0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2086540f09b320b9d41a4c8df34572ab98e1627cfedcdc2a28a1d4561045b3b0.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 384
      4⤵
      Program crash
      PID:4528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 384
      4⤵
      Program crash
      PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4380 -ip 4380
1⤵
PID:4284

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
memory/3488-133-0x0000000060000000-0x000000006008E000-memory.dmp

Filesize
568KB

Download