b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:59

Target

b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34.dll
Size

128KB
MD5

42e09c9b0082be6da68c40981853d780
SHA1

3c5de68a29e61d47ebb77d6309fd5939e0604bdb
SHA256

b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34
SHA512

94a4d77d8182f3fcde97cc9e8a9b090d430147711448bdd1f022b58e62dc23ac840c4fc0e38191155460f4c882de51124dabe85cb48c18d007a6eec3c6ec8199
SSDEEP

3072:4NEqkap78Etee0O9jQoJMoNEJuAhf8up:CEqkE4HNORVJnNEthfXp

Score

8^/10

upx

Executes dropped EXE 1 IoCs

Processes:

rundll32Srv.exe

pid process

4588 rundll32Srv.exe

pid	process
4588	rundll32Srv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
behavioral2/memory/4588-137-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4588-138-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4588-139-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4464 4588 WerFault.exe rundll32Srv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

pid	pid_target	process	target process
4464	4588	WerFault.exe	rundll32Srv.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1652 wrote to memory of 4556	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 4556	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 4556	1652	rundll32.exe	rundll32.exe
PID 4556 wrote to memory of 4588	4556	rundll32.exe	rundll32Srv.exe
PID 4556 wrote to memory of 4588	4556	rundll32.exe	rundll32Srv.exe
PID 4556 wrote to memory of 4588	4556	rundll32.exe	rundll32Srv.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 268
4⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4588 -ip 4588
1⤵
PID:3560

C:\Windows\SysWOW64\rundll32Srv.exe
Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
memory/4556-132-0x0000000000000000-mapping.dmp

Download
memory/4556-133-0x000000006D040000-0x000000006D060000-memory.dmp

Filesize
128KB

Download
memory/4588-134-0x0000000000000000-mapping.dmp

Download
memory/4588-137-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4588-138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4588-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download