431d2875de381b05b8f6cc3ed3310cb9799ec9d29b746da7789b3328d8f5e1ca

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 21:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

431d2875de381b05b8f6cc3ed3310cb9799ec9d29b746da7789b3328d8f5e1ca.dll
Size

2.4MB
MD5

0f3bf508c573fdd34b992a1582159cf5
SHA1

f159c736ce4b3582a6a12dbfb967fc308bf46906
SHA256

431d2875de381b05b8f6cc3ed3310cb9799ec9d29b746da7789b3328d8f5e1ca
SHA512

c744c031fbebba4e270b3d641bbd097dbdb48f2ecb4813555c02934e0d7f31057983e7ee0708f3e522a291ee167472237f2118eab2c630b4f032d032aaed1137
SSDEEP

49152:6U3U+ZYmxjpv7x4GFM/+b8dTMNh9Wr73h7NXSWEqNJO5hYTVMCRisKEqUQS:6iU2YmxjpDx4Zo8dYNh9q73h7NXYkRik

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1004	rundll32mgr.exe

Loads dropped DLL 10 IoCs

pid	Process
1960	rundll32.exe
1960	rundll32.exe
1004	rundll32mgr.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ws2help.dll	rundll32mgr.exe
File created	C:\Windows\Wplugin.dll	rundll32mgr.exe
File opened for modification	C:\Windows\Wplugin.dll	rundll32mgr.exe
File created	C:\Windows\explorer.exe.local	rundll32mgr.exe
File created	C:\Windows\ws2help.dll	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1244	1960	WerFault.exe	28
2028	1004	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1004	rundll32mgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1960 wrote to memory of 1004	1960	rundll32.exe	29
PID 1960 wrote to memory of 1004	1960	rundll32.exe	29
PID 1960 wrote to memory of 1004	1960	rundll32.exe	29
PID 1960 wrote to memory of 1004	1960	rundll32.exe	29
PID 1960 wrote to memory of 1244	1960	rundll32.exe	30
PID 1960 wrote to memory of 1244	1960	rundll32.exe	30
PID 1960 wrote to memory of 1244	1960	rundll32.exe	30
PID 1960 wrote to memory of 1244	1960	rundll32.exe	30
PID 1004 wrote to memory of 2028	1004	rundll32mgr.exe	31
PID 1004 wrote to memory of 2028	1004	rundll32mgr.exe	31
PID 1004 wrote to memory of 2028	1004	rundll32mgr.exe	31
PID 1004 wrote to memory of 2028	1004	rundll32mgr.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\431d2875de381b05b8f6cc3ed3310cb9799ec9d29b746da7789b3328d8f5e1ca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\431d2875de381b05b8f6cc3ed3310cb9799ec9d29b746da7789b3328d8f5e1ca.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 192
      4⤵
      Loads dropped DLL
      Program crash
      PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 232
    3⤵
    - Program crash
    PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Users\Admin\AppData\Roaming\Wplugin.dll

Filesize
108KB

MD5
8847a8302dacc1d6fca61f125c8fe8e0

SHA1
f399142bbf03660bee1df555ebbf3acc8f658cf0

SHA256
9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

SHA512
2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
aafbdf32a4d340a4bd5a711d6c2adb13

SHA1
6ec9489c90e8604984c9f821212310f3cc72c6e4

SHA256
23a6cbf50a771f6bbe92f619568a1af92b43c9cac9368359fc9d56ef52e506f0

SHA512
015636e264e077f7c511125b7bd27336b9f0de736f8e557ffaa3c4f3242f743f4ab41fbd4a97dbc6468e0fa1e7ae139337429de18472f014fc5261787fb6a366

Download Submit
memory/1004-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1960-71-0x0000000008000000-0x000000000826A000-memory.dmp

Filesize
2.4MB

Download
memory/1960-72-0x0000000000240000-0x0000000000268000-memory.dmp

Filesize
160KB

Download
memory/1960-55-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1960-75-0x0000000000240000-0x0000000000268000-memory.dmp

Filesize
160KB

Download