1296fca72509b6a6cfb1fcf0371c853607ac4e4b8ee6fc25b36f0b2eb0a8853c

Analysis

max time kernel
226s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:34

Target

鑫财手机协议全能王/91vpn/vpnutil.dll
Size

750KB
MD5

2a85f60ed95582d66ebedeec374ea64e
SHA1

ad1b515b0b72e6d51563e89f40b23e62630c39de
SHA256

163399e825d23c9c019a9bd03a58328d365a5fc9f80af1e516ca7412de2c49e6
SHA512

cb2766a0bcd7f6979831f004e84b15df18ba33ad11d6ce20b6432845074e8249de72c906cd4900576831c21d09940b9e30b701db839b0aba299ff364d9e8b458
SSDEEP

12288:3ysfcCzYEjeYL89XikxFkPBs+OeO+OeNhBBhhBBdlrYj5cEwmco0LgUdj:lzYERL89XikxFkPnYj5zwmd0LgUdj

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
4180	rundll32.exe

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\91vpn.log	rundll32.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4076	4180	WerFault.exe	81
4336	4180	WerFault.exe	81

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 224 wrote to memory of 4180	224	rundll32.exe	81
PID 224 wrote to memory of 4180	224	rundll32.exe	81
PID 224 wrote to memory of 4180	224	rundll32.exe	81
PID 4180 wrote to memory of 4076	4180	rundll32.exe	83
PID 4180 wrote to memory of 4076	4180	rundll32.exe	83
PID 4180 wrote to memory of 4076	4180	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\鑫财手机协议全能王\91vpn\vpnutil.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\鑫财手机协议全能王\91vpn\vpnutil.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 680
    3⤵
    - Program crash
    PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 680
    3⤵
    - Program crash
    PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4180 -ip 4180
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\7EA.tmp

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/4076-134-0x0000000000000000-mapping.dmp

Download
memory/4180-132-0x0000000000000000-mapping.dmp

Download