b4351cde27e09cb0ae96b87d807467dc83454a308adc0d6300250dd8033a21a2

Analysis

max time kernel
9s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 18:14

Target

b4351cde27e09cb0ae96b87d807467dc83454a308adc0d6300250dd8033a21a2.dll
Size

248KB
MD5

0bdd3f3fca0bb54cf6ce382a38cddc59
SHA1

bf89740301e79f860a5abec5f2dc2da108194960
SHA256

b4351cde27e09cb0ae96b87d807467dc83454a308adc0d6300250dd8033a21a2
SHA512

ffb1d0c907388d7977d0f9f805581076c5e9a60a38958a5257b530a8bd45c1277d85d4ff006535b206202830b863e4e296f0d235a4af82a0c359882291cc5ec8
SSDEEP

3072:DUHdcXZX9whcli+x8mc7HBWRYcZSAv3a05LKbdgv9spWOv9vipsUrkEhCkSgIyLI:HX9tig73SU75LkdYspp9vUrM7/WAyKph

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1936	rundll32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	rundll32.exe
1788	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1800 wrote to memory of 1788	1800	rundll32.exe	28
PID 1788 wrote to memory of 1936	1788	rundll32.exe	29
PID 1788 wrote to memory of 1936	1788	rundll32.exe	29
PID 1788 wrote to memory of 1936	1788	rundll32.exe	29
PID 1788 wrote to memory of 1936	1788	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4351cde27e09cb0ae96b87d807467dc83454a308adc0d6300250dd8033a21a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4351cde27e09cb0ae96b87d807467dc83454a308adc0d6300250dd8033a21a2.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1936

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
79KB

MD5
9369519ebb0d7f41871d9c33f4f06712

SHA1
f608395fdf1212b03107a329fa9c5223416df80f

SHA256
a4b9dea29d50021c0a4add3709e67f2293474dbf9d7c8d3d33d519635567932a

SHA512
f95eb87c41b703c97a58bfaec31a8d1a5baba6864184772f1492faf932a6b94c9bc5246228aabbd5467e7f65759e59d0f8119b1dbba4a9bcc3c337b39c2fa985

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
79KB

MD5
9369519ebb0d7f41871d9c33f4f06712

SHA1
f608395fdf1212b03107a329fa9c5223416df80f

SHA256
a4b9dea29d50021c0a4add3709e67f2293474dbf9d7c8d3d33d519635567932a

SHA512
f95eb87c41b703c97a58bfaec31a8d1a5baba6864184772f1492faf932a6b94c9bc5246228aabbd5467e7f65759e59d0f8119b1dbba4a9bcc3c337b39c2fa985

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
79KB

MD5
9369519ebb0d7f41871d9c33f4f06712

SHA1
f608395fdf1212b03107a329fa9c5223416df80f

SHA256
a4b9dea29d50021c0a4add3709e67f2293474dbf9d7c8d3d33d519635567932a

SHA512
f95eb87c41b703c97a58bfaec31a8d1a5baba6864184772f1492faf932a6b94c9bc5246228aabbd5467e7f65759e59d0f8119b1dbba4a9bcc3c337b39c2fa985

Download Submit
memory/1788-54-0x0000000000000000-mapping.dmp

Download
memory/1788-55-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1788-60-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1936-58-0x0000000000000000-mapping.dmp

Download