0834cae347fa49ec40179e4592896b086f113a1315c592a1b3271e46cec242ec

Analysis

max time kernel
136s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0834cae347fa49ec40179e4592896b086f113a1315c592a1b3271e46cec242ec.dll
Size

1.5MB
MD5

8329cc74f273668faf0aa5c306f70de2
SHA1

53f4198739ff10fadefb188b60d3b9ea1de9b271
SHA256

0834cae347fa49ec40179e4592896b086f113a1315c592a1b3271e46cec242ec
SHA512

11721cb1648ad5bb38705e3c48749d21f6a30ea55ceb832f4c4858ae9f75fbcf9421a7ebfabe85edcbba08dc386fdecd1bfd8aba4d435edeb868825a31178e38
SSDEEP

49152:QNVE+2VQYCJ+tCgBnRaGYqLILN03x+5UtMbc:QbppYCJ+YgBnRJYqLIh03hv

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

756 rundll32mgr.exe

pid	process
756	rundll32mgr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/520-133-0x0000000010000000-0x000000001029E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

520 rundll32.exe
520 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3940 756 WerFault.exe rundll32mgr.exe

pid	process
520	rundll32.exe
520	rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
3940	756	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3880 wrote to memory of 520	3880	rundll32.exe	rundll32.exe
PID 3880 wrote to memory of 520	3880	rundll32.exe	rundll32.exe
PID 3880 wrote to memory of 520	3880	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 756	520	rundll32.exe	rundll32mgr.exe
PID 520 wrote to memory of 756	520	rundll32.exe	rundll32mgr.exe
PID 520 wrote to memory of 756	520	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0834cae347fa49ec40179e4592896b086f113a1315c592a1b3271e46cec242ec.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0834cae347fa49ec40179e4592896b086f113a1315c592a1b3271e46cec242ec.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 384
4⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 756 -ip 756
1⤵
PID:3212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\AdjMmsVista.dll
Filesize
220KB

MD5
fb27635f5921f5f27659e4054c08b6cc

SHA1
c8a357f663f01810eb3dbca601146569e9cccdd8

SHA256
496f4e2891e3f16fe387f81eda2d203f696f1045faeae73204f458fbb735c43d

SHA512
59d66860be3ea3c5261ed6f56d854ac94106204f7a1a8209ff91d9ddde53c65850f57c9d7de4b9f312c016e39d7da777165cf062d57510fd5b18590799aac84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AdjMmsVista.dll
Filesize
220KB

MD5
fb27635f5921f5f27659e4054c08b6cc

SHA1
c8a357f663f01810eb3dbca601146569e9cccdd8

SHA256
496f4e2891e3f16fe387f81eda2d203f696f1045faeae73204f458fbb735c43d

SHA512
59d66860be3ea3c5261ed6f56d854ac94106204f7a1a8209ff91d9ddde53c65850f57c9d7de4b9f312c016e39d7da777165cf062d57510fd5b18590799aac84b

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
memory/520-132-0x0000000000000000-mapping.dmp

Download
memory/520-133-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/520-139-0x0000000000EE0000-0x0000000000F1A000-memory.dmp

Filesize
232KB

Download
memory/756-134-0x0000000000000000-mapping.dmp

Download