a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277

Analysis

max time kernel
151s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 07:45

Target

a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277.dll
Size

392KB
MD5

09b7588eeb9f9ffced2f205b1547c477
SHA1

44633ba9849b1f2f03bd08f0844bf11f0cd4a9d9
SHA256

a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277
SHA512

499d2501388ac14982dceac375804fc305170fd73482353b8e5810ca6e9670a28a3b25fb5365d2ff337fd74308195053bf7963e61ebff65878f6236cdaf6601b
SSDEEP

6144:JCIGPj038tAgFMldWNX+IxeQ37G28Ua1jflNiSGjVaNqzMDVZPdrNkUN:Cj038t/FMldW4IxeQ37JaplcsVRdm2

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4884	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000b000000022e52-134.dat	upx
behavioral2/files/0x000b000000022e52-135.dat	upx
behavioral2/memory/4884-137-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4560	4924	WerFault.exe	80
8	4884	WerFault.exe	81

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4924	4940	rundll32.exe	80
PID 4940 wrote to memory of 4924	4940	rundll32.exe	80
PID 4940 wrote to memory of 4924	4940	rundll32.exe	80
PID 4924 wrote to memory of 4884	4924	rundll32.exe	81
PID 4924 wrote to memory of 4884	4924	rundll32.exe	81
PID 4924 wrote to memory of 4884	4924	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 268
      4⤵
      Program crash
      PID:8
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 608
    3⤵
    - Program crash
    PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4924 -ip 4924
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4884 -ip 4884
1⤵
PID:5096

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
226KB

MD5
0443f220bbe647a9f012ef8be7826915

SHA1
a4d35c05941e01bfda5e6aebf8696bbe1cbe57eb

SHA256
943d8c1c80dda309f3b9b2af6d0cc311b00acabc0b9016c37359e5c20aa4ab90

SHA512
a09035c929aace492303ba04bc00add212569d1d6dc37f41b814ebb295cb749e0cb7543ceea79c8a39f31e8e14a6bbd9519fac34d42070ed031b911adfebebd9

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
226KB

MD5
0443f220bbe647a9f012ef8be7826915

SHA1
a4d35c05941e01bfda5e6aebf8696bbe1cbe57eb

SHA256
943d8c1c80dda309f3b9b2af6d0cc311b00acabc0b9016c37359e5c20aa4ab90

SHA512
a09035c929aace492303ba04bc00add212569d1d6dc37f41b814ebb295cb749e0cb7543ceea79c8a39f31e8e14a6bbd9519fac34d42070ed031b911adfebebd9

Download Submit
memory/4884-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4884-138-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/4924-136-0x0000000010000000-0x0000000010067000-memory.dmp

Filesize
412KB

Download