67772ecec97387478b1202e0102fac6d7dde36856c107c8b3d2c20c75016269f

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 21:08

Target

67772ecec97387478b1202e0102fac6d7dde36856c107c8b3d2c20c75016269f.dll
Size

148KB
MD5

0cf2ca39934b9db2e4bae4175a0a4e40
SHA1

3b43a967397041d6b45c2fd97efc406e09ab0978
SHA256

67772ecec97387478b1202e0102fac6d7dde36856c107c8b3d2c20c75016269f
SHA512

60e7345c33329b690fdc1ab93499d7bbd12c78100fccbb1343b79e25b7c1df18eaa0016dc6398b092adb861306b319af1e5306a68500658e3160d023ab560a9b
SSDEEP

3072:Ia2xurd/UbSSWos9ceZoBvdGp18v5TRRVf1:ITbSt9QVGkNRr1

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1148	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0008000000005c51-56.dat	upx
behavioral1/files/0x0008000000005c51-58.dat	upx
behavioral1/memory/1148-63-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1532	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1392	1532	WerFault.exe	27

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1460 wrote to memory of 1532	1460	rundll32.exe	27
PID 1532 wrote to memory of 1148	1532	rundll32.exe	28
PID 1532 wrote to memory of 1148	1532	rundll32.exe	28
PID 1532 wrote to memory of 1148	1532	rundll32.exe	28
PID 1532 wrote to memory of 1148	1532	rundll32.exe	28
PID 1532 wrote to memory of 1392	1532	rundll32.exe	29
PID 1532 wrote to memory of 1392	1532	rundll32.exe	29
PID 1532 wrote to memory of 1392	1532	rundll32.exe	29
PID 1532 wrote to memory of 1392	1532	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67772ecec97387478b1202e0102fac6d7dde36856c107c8b3d2c20c75016269f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\67772ecec97387478b1202e0102fac6d7dde36856c107c8b3d2c20c75016269f.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 228
    3⤵
    - Program crash
    PID:1392

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1148-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1532-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1532-61-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/1532-62-0x0000000000180000-0x00000000001AE000-memory.dmp

Filesize
184KB

Download