a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d

General

Target

a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d.dll
Size

395KB
MD5

2f780ed707c91e8d5eb20bf7c9c20490
SHA1

389d1c07c0261b6bef21e48435e3eb599b82f728
SHA256

a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d
SHA512

c9a005cf9c8bc343e8dd5a5d18951eb4ce5bbb959c53ac435469053ad4d14f475b501e749717515a42c444c31aaa034f10d8f0cf5279625da5a247ec2005a104
SSDEEP

3072:GwWT5BaRUlyHKwWT5lTpb6NkqlX5ANlAxon1u4f8UbVMdUvpmxd:waRUlyHAp6NjlXZeu4f8U6iGd

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4968	rundll32mgr.exe
1324	hrlD74A.tmp
2276	bgjrgk.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f4c-135.dat	upx
behavioral2/files/0x0006000000022f4c-136.dat	upx
behavioral2/memory/4968-140-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2276	bgjrgk.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bgjrgk.exe	hrlD74A.tmp
File opened for modification	C:\Windows\SysWOW64\bgjrgk.exe	hrlD74A.tmp
File created	C:\Windows\SysWOW64\gei33.dll	bgjrgk.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
796	4968	WerFault.exe	82

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4940	4204	rundll32.exe	81
PID 4204 wrote to memory of 4940	4204	rundll32.exe	81
PID 4204 wrote to memory of 4940	4204	rundll32.exe	81
PID 4940 wrote to memory of 4968	4940	rundll32.exe	82
PID 4940 wrote to memory of 4968	4940	rundll32.exe	82
PID 4940 wrote to memory of 4968	4940	rundll32.exe	82
PID 4940 wrote to memory of 1324	4940	rundll32.exe	83
PID 4940 wrote to memory of 1324	4940	rundll32.exe	83
PID 4940 wrote to memory of 1324	4940	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 272
      4⤵
      Program crash
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\hrlD74A.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlD74A.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4968 -ip 4968
1⤵
PID:2560

C:\Windows\SysWOW64\bgjrgk.exe
C:\Windows\SysWOW64\bgjrgk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlD74A.tmp

Filesize
39KB

MD5
bfad4a122152bc246aed2d3799341888

SHA1
01f92cf4deba34df9449aec96ba7b95241475d1a

SHA256
917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

SHA512
dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlD74A.tmp

Filesize
39KB

MD5
bfad4a122152bc246aed2d3799341888

SHA1
01f92cf4deba34df9449aec96ba7b95241475d1a

SHA256
917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

SHA512
dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

Download Submit
C:\Windows\SysWOW64\bgjrgk.exe

Filesize
39KB

MD5
bfad4a122152bc246aed2d3799341888

SHA1
01f92cf4deba34df9449aec96ba7b95241475d1a

SHA256
917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

SHA512
dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

Download Submit
C:\Windows\SysWOW64\bgjrgk.exe

Filesize
39KB

MD5
bfad4a122152bc246aed2d3799341888

SHA1
01f92cf4deba34df9449aec96ba7b95241475d1a

SHA256
917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

SHA512
dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

Download Submit
C:\Windows\SysWOW64\gei33.dll

Filesize
52KB

MD5
d1dbfc3af07e8ab980b9046d1b13ae10

SHA1
4191ba60232182e6f077401bd571e46082bfa74d

SHA256
4e2f0d8b42fd9487052a9fd6a683df8afc4006009a74610823b1d056810bbb11

SHA512
e4755f5ff6e5cda299c3df333753d84cfdbe9e7c215acb2c45cdde5096947d495bbe741bbd669c81e02308a7ca4cbbe56b925190fa6459309ff025ee43265f2c

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
340KB

MD5
a335e0d50da877e39944d999f990e82b

SHA1
9db3ae5b5140756838b023ff3ac11b853023162c

SHA256
154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

SHA512
52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
340KB

MD5
a335e0d50da877e39944d999f990e82b

SHA1
9db3ae5b5140756838b023ff3ac11b853023162c

SHA256
154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

SHA512
52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

Download Submit
memory/4940-141-0x0000000074A60000-0x0000000074AC8000-memory.dmp

Filesize
416KB

Download
memory/4940-133-0x0000000074A60000-0x0000000074AC8000-memory.dmp

Filesize
416KB

Download
memory/4968-140-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing