2edf99e5cc580972a7eab00fdeccf6c98926de1ed9332e585a15bc5f847b3f45

Analysis

max time kernel
91s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 21:24

Target

2edf99e5cc580972a7eab00fdeccf6c98926de1ed9332e585a15bc5f847b3f45.dll
Size

166KB
MD5

0e773f283f2656a2ce5bcb8548f60d10
SHA1

9ef50d12febbd4e089508d791de62cfaded62e9d
SHA256

2edf99e5cc580972a7eab00fdeccf6c98926de1ed9332e585a15bc5f847b3f45
SHA512

c6c47311090f7e987d52f724a57430a360cf6d0465a2e9d0f2ef7bc876b7bf51a149a5d1990062c9cf929fdf18d809a7ce6810a4034de08862a46f3c5f126e67
SSDEEP

3072:u+cYESM0Toh13xE2XvSc7KBjTdRiFS6w6xQo8LJZUq5HMG8Aec:u+OdSc7aXdRe9ao8LJZUq5HMrAV

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
5104	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0007000000022f6b-135.dat	upx
behavioral2/files/0x0007000000022f6b-136.dat	upx
behavioral2/memory/5104-137-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	5104	WerFault.exe	80

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1904	1048	rundll32.exe	79
PID 1048 wrote to memory of 1904	1048	rundll32.exe	79
PID 1048 wrote to memory of 1904	1048	rundll32.exe	79
PID 1904 wrote to memory of 5104	1904	rundll32.exe	80
PID 1904 wrote to memory of 5104	1904	rundll32.exe	80
PID 1904 wrote to memory of 5104	1904	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2edf99e5cc580972a7eab00fdeccf6c98926de1ed9332e585a15bc5f847b3f45.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2edf99e5cc580972a7eab00fdeccf6c98926de1ed9332e585a15bc5f847b3f45.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:5104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 260
      4⤵
      Program crash
      PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5104 -ip 5104
1⤵
PID:4188

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
39ba7f790512d1af40cc864189175cb7

SHA1
da5f35bed908b1a0d08b7639d76cf2d711789e29

SHA256
b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

SHA512
0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
39ba7f790512d1af40cc864189175cb7

SHA1
da5f35bed908b1a0d08b7639d76cf2d711789e29

SHA256
b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

SHA512
0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

Download Submit
memory/1904-133-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/5104-137-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download