6ac725ef5faf543c182d14db90defc97f519651426f6474849845a3874ea026e

Analysis

max time kernel
137s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 17:07

Target

6ac725ef5faf543c182d14db90defc97f519651426f6474849845a3874ea026e.dll
Size

160KB
MD5

0af92c3df138ddb69574aac5bb6c530d
SHA1

75be29a76c3ab13f66da35a615ea767586f9a784
SHA256

6ac725ef5faf543c182d14db90defc97f519651426f6474849845a3874ea026e
SHA512

6b3cf9a7cb9f4abef978a1acbf9e973fed91ee1fbd606a47612a4f9f58ea8100cd9efb6b103b6b061655593bcb8b75d2a0dbdbdb0447d2213000dc13c634267c
SSDEEP

3072:lcP+452cgkgaZj/RrANjMIVOhv/f1/0/m+kyo/mEa:43QSzRrtRfB/mEa

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4636	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000a000000022dfb-134.dat	upx
behavioral2/files/0x000a000000022dfb-135.dat	upx
behavioral2/memory/4636-137-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5112	4636	WerFault.exe	81

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 5024	2176	rundll32.exe	80
PID 2176 wrote to memory of 5024	2176	rundll32.exe	80
PID 2176 wrote to memory of 5024	2176	rundll32.exe	80
PID 5024 wrote to memory of 4636	5024	rundll32.exe	81
PID 5024 wrote to memory of 4636	5024	rundll32.exe	81
PID 5024 wrote to memory of 4636	5024	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac725ef5faf543c182d14db90defc97f519651426f6474849845a3874ea026e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac725ef5faf543c182d14db90defc97f519651426f6474849845a3874ea026e.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 264
      4⤵
      Program crash
      PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4636 -ip 4636
1⤵
PID:3516

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
133KB

MD5
783358db5bbd753eb67d9b5c2ea05b87

SHA1
1e49aa868fe0486ed855d0800aae664fb089f834

SHA256
6e8c7e0832fd7499afcb8bfa417f73c592cbc007c17964c5e9494012049b6ec5

SHA512
88334d9189c1589cbec59be8ad38fba6b0da02326ff38e118899c46bf0c72c9b01dbea976407398dbb8d6a1bc5ef3712b49b721e11f6b9444ef7f68705032379

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
133KB

MD5
783358db5bbd753eb67d9b5c2ea05b87

SHA1
1e49aa868fe0486ed855d0800aae664fb089f834

SHA256
6e8c7e0832fd7499afcb8bfa417f73c592cbc007c17964c5e9494012049b6ec5

SHA512
88334d9189c1589cbec59be8ad38fba6b0da02326ff38e118899c46bf0c72c9b01dbea976407398dbb8d6a1bc5ef3712b49b721e11f6b9444ef7f68705032379

Download Submit
memory/4636-133-0x0000000000000000-mapping.dmp

Download
memory/4636-137-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download
memory/5024-136-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download