dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6

Analysis

max time kernel
185s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 07:38

Target

dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll
Size

764KB
MD5

d9dd7916400113ae5042bdfbb22e21f0
SHA1

8a849dc4dd182e8d886bfa81634fcfe4f2d3c5a1
SHA256

dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6
SHA512

e9e094297b2df93b98b54194e66c4cd45f8c932734cf486a324e52f914597fe7e3ac2528460dcd58237df024d504cecd1194e85f0e04129e7fe1f593b6b7abd9
SSDEEP

12288:tPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjuRP4itUMP:tPSH4hQP/RN2fLqNK9QV4qBH1O4i9

Score

8^/10

upx

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4860 rundll32mgr.exe

pid	process
4860	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32mgr.exe	upx
C:\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral2/memory/4860-136-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4052 4860 WerFault.exe rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
4052	4860	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4944 wrote to memory of 4912	4944	rundll32.exe	rundll32.exe
PID 4944 wrote to memory of 4912	4944	rundll32.exe	rundll32.exe
PID 4944 wrote to memory of 4912	4944	rundll32.exe	rundll32.exe
PID 4912 wrote to memory of 4860	4912	rundll32.exe	rundll32mgr.exe
PID 4912 wrote to memory of 4860	4912	rundll32.exe	rundll32mgr.exe
PID 4912 wrote to memory of 4860	4912	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 268
4⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4860 -ip 4860
1⤵
PID:1736

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
101KB

MD5
162e85589a5dff74d7cf05dbc5d4e8e3

SHA1
12544e9343869586d1679db02119e127f43d986f

SHA256
9cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976

SHA512
7ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
101KB

MD5
162e85589a5dff74d7cf05dbc5d4e8e3

SHA1
12544e9343869586d1679db02119e127f43d986f

SHA256
9cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976

SHA512
7ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7

Download Submit
memory/4860-133-0x0000000000000000-mapping.dmp

Download
memory/4860-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4912-132-0x0000000000000000-mapping.dmp

Download