5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f.dll
Size

592KB
MD5

440dbfa1e015df5e19fbe780dbd15dc1
SHA1

96e7a86082ae7689cb162c62fd15df75cc608871
SHA256

5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f
SHA512

a49ca3e4f593cd509755de7e47ec75efca11f23800c36342a20d32e210ec964c6368edd76cf25d7d5ae22ae24f3c9194c6fefca6aef4ab74671f955409883ec5
SSDEEP

12288:MgUYcOj5s7qoYnw3uXa5tTuUFupP6+Zp4zz:MmVoqeuXa5txGPPOz

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

552 rundll32mgr.exe

pid	process
552	rundll32mgr.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1928-57-0x0000000074DA0000-0x0000000074E40000-memory.dmp	vmprotect
behavioral1/memory/1928-74-0x0000000074DA0000-0x0000000074E40000-memory.dmp	vmprotect

Loads dropped DLL 9 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1928	rundll32.exe
1928	rundll32.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1372 552 WerFault.exe rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
1372	552	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exe

description	pid	process	target process
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 552	1928	rundll32.exe	rundll32mgr.exe
PID 1928 wrote to memory of 552	1928	rundll32.exe	rundll32mgr.exe
PID 1928 wrote to memory of 552	1928	rundll32.exe	rundll32mgr.exe
PID 1928 wrote to memory of 552	1928	rundll32.exe	rundll32mgr.exe
PID 552 wrote to memory of 1372	552	rundll32mgr.exe	WerFault.exe
PID 552 wrote to memory of 1372	552	rundll32mgr.exe	WerFault.exe
PID 552 wrote to memory of 1372	552	rundll32mgr.exe	WerFault.exe
PID 552 wrote to memory of 1372	552	rundll32mgr.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 156
4⤵
- Loads dropped DLL
- Program crash
PID:1372

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/552-63-0x0000000000000000-mapping.dmp

Download
memory/1372-66-0x0000000000000000-mapping.dmp

Download
memory/1928-58-0x0000000074E40000-0x0000000074EE0000-memory.dmp

Filesize
640KB

Download
memory/1928-57-0x0000000074DA0000-0x0000000074E40000-memory.dmp

Filesize
640KB

Download
memory/1928-56-0x0000000074E40000-0x0000000074EE0000-memory.dmp

Filesize
640KB

Download
memory/1928-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1928-54-0x0000000000000000-mapping.dmp

Download
memory/1928-74-0x0000000074DA0000-0x0000000074E40000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads