c9b86805c3b1c09b6657814229ea23d0a467311e7d8ed9245f64de48d0585e9e

Analysis

max time kernel
90s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:37

Target

c9b86805c3b1c09b6657814229ea23d0a467311e7d8ed9245f64de48d0585e9e.dll
Size

700KB
MD5

925c58c0a52e093fc5de3c6853f53ea5
SHA1

f3029ba9f1aabf9df1fc77a1e6daaaaa21f4a67b
SHA256

c9b86805c3b1c09b6657814229ea23d0a467311e7d8ed9245f64de48d0585e9e
SHA512

b23b6f96ff52fe9b673a33ea2e584e7343dd4834b8d295b7a99e25a91fb56affb3269958846cc4344b45bed29b3d7b8c8840933f3d93225d089e1d6114d64879
SSDEEP

12288:30ywjWtUO+Oke04VGUl6vhOiue+bhPrRx4vSZqB7Y0lnMyC2+EUFn+g13DsVF:sCwsdPJyC290N3AVF

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4768	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0002000000022da6-135.dat	upx
behavioral2/files/0x0002000000022da6-136.dat	upx
behavioral2/memory/4768-137-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1140	4488	WerFault.exe	82
1252	4768	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4488	4900	rundll32.exe	82
PID 4900 wrote to memory of 4488	4900	rundll32.exe	82
PID 4900 wrote to memory of 4488	4900	rundll32.exe	82
PID 4488 wrote to memory of 4768	4488	rundll32.exe	83
PID 4488 wrote to memory of 4768	4488	rundll32.exe	83
PID 4488 wrote to memory of 4768	4488	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9b86805c3b1c09b6657814229ea23d0a467311e7d8ed9245f64de48d0585e9e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9b86805c3b1c09b6657814229ea23d0a467311e7d8ed9245f64de48d0585e9e.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 264
      4⤵
      Program crash
      PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 628
    3⤵
    - Program crash
    PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4768 -ip 4768
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4488 -ip 4488
1⤵
PID:2868

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
73KB

MD5
203eb4711aca4401e653bb584a0b31dd

SHA1
091ff9ce97896b06f516de1d463250d34513c99c

SHA256
803835a33c25abb2d717a257907c1ac31019a8681cd128231b75769907ce8f91

SHA512
1fdf1490a77b94eea7813cd00e766af452be45065b3f34aec4f4831a1573f71ee67e1bbe551b166dd9fefee657c40de67d18ba958ddb3641e5d1e7989706a57d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
73KB

MD5
203eb4711aca4401e653bb584a0b31dd

SHA1
091ff9ce97896b06f516de1d463250d34513c99c

SHA256
803835a33c25abb2d717a257907c1ac31019a8681cd128231b75769907ce8f91

SHA512
1fdf1490a77b94eea7813cd00e766af452be45065b3f34aec4f4831a1573f71ee67e1bbe551b166dd9fefee657c40de67d18ba958ddb3641e5d1e7989706a57d

Download Submit
memory/4488-133-0x0000000010000000-0x00000000100B0000-memory.dmp

Filesize
704KB

Download
memory/4488-138-0x0000000010000000-0x00000000100B0000-memory.dmp

Filesize
704KB

Download
memory/4768-137-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download