9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 10:37

Target

9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll
Size

1.3MB
MD5

1ebcc343bd2d2e1f47ac0fed7ec850b5
SHA1

9cd66157339ee7e267df2c6de9a37905b0bf22b5
SHA256

9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26
SHA512

04946480d63ddb58dc866860b98565702bf829c13e9acf8b0e69c724cf6198f7f5e3f07e66977416d3a5e401e989b6d4cce234a5a3ecf81e14c19c2c2d079471
SSDEEP

12288:jSfXvPnSkeJr2F21G0ukd/W8YmU/fI60KbKIkWTVurjUc0u99ARk1FM83pm0OyPW:uPvP8T2onlOYHc4v2ayVpSC

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1512	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0009000000022dbc-135.dat	upx
behavioral2/files/0x0009000000022dbc-136.dat	upx
behavioral2/memory/1512-137-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4944	2288	WerFault.exe	76
408	1512	WerFault.exe	77

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2288	4232	rundll32.exe	76
PID 4232 wrote to memory of 2288	4232	rundll32.exe	76
PID 4232 wrote to memory of 2288	4232	rundll32.exe	76
PID 2288 wrote to memory of 1512	2288	rundll32.exe	77
PID 2288 wrote to memory of 1512	2288	rundll32.exe	77
PID 2288 wrote to memory of 1512	2288	rundll32.exe	77

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 264
      4⤵
      Program crash
      PID:408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 612
    3⤵
    - Program crash
    PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1512 -ip 1512
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2288 -ip 2288
1⤵
PID:1792

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
98a8ced05b34189b8b36760049b2ea36

SHA1
a5271250fb91d891c7df0cae7812ed68907ae076

SHA256
e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

SHA512
8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
98a8ced05b34189b8b36760049b2ea36

SHA1
a5271250fb91d891c7df0cae7812ed68907ae076

SHA256
e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

SHA512
8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

Download Submit
memory/1512-137-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2288-133-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download
memory/2288-138-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download