a5c44bfb4fd69e91ddc7928ecebdc1c7483404130c1dc14ffb6cc28c4d7103ca

Analysis

max time kernel
145s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 07:45

Target

a5c44bfb4fd69e91ddc7928ecebdc1c7483404130c1dc14ffb6cc28c4d7103ca.dll
Size

600KB
MD5

ef39548718db6bc32ae5760666a8517c
SHA1

c7f76947f88dc4e7d4d0f3f8bc9472e0ed6bd904
SHA256

a5c44bfb4fd69e91ddc7928ecebdc1c7483404130c1dc14ffb6cc28c4d7103ca
SHA512

91bcc6449937f4c32d0f6675bbb5b3d23d8fd03162322de6df7f0c45eb60ae682c0326d06e25625aef85d4c6c85e8877a13124afb2ea25c3bb7a2d8192ce5bd0
SSDEEP

12288:hZL7A5l0711g8onrOcWAqVv6NT81x4NCD:hZL7AfYhonS6FI4NCD

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
908	rundll32mgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000a000000022e21-134.dat	upx
behavioral2/memory/908-136-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000a000000022e21-137.dat	upx
behavioral2/memory/908-138-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3748	3664	WerFault.exe	84
1240	908	WerFault.exe	85

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3664	4276	rundll32.exe	84
PID 4276 wrote to memory of 3664	4276	rundll32.exe	84
PID 4276 wrote to memory of 3664	4276	rundll32.exe	84
PID 3664 wrote to memory of 908	3664	rundll32.exe	85
PID 3664 wrote to memory of 908	3664	rundll32.exe	85
PID 3664 wrote to memory of 908	3664	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5c44bfb4fd69e91ddc7928ecebdc1c7483404130c1dc14ffb6cc28c4d7103ca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5c44bfb4fd69e91ddc7928ecebdc1c7483404130c1dc14ffb6cc28c4d7103ca.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 264
      4⤵
      Program crash
      PID:1240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 612
    3⤵
    - Program crash
    PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3664 -ip 3664
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 908 -ip 908
1⤵
PID:4472

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
125KB

MD5
12d840fc0b79a745c013e73c4c470467

SHA1
f47b3c28974d6199e596c365f5e7161656480100

SHA256
7ee9098ea2bc30eaea20eceb5e8cda620772c4ba2d7d6945e34ea93fb6054ccb

SHA512
de5f3cb695f1a10d897968668ea403721e09f9c66db796d932b8152edb1681dbac777efb63a2cff9d81380d09452f90470a8b77363a99f21421b9ff61fcb930a

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
125KB

MD5
12d840fc0b79a745c013e73c4c470467

SHA1
f47b3c28974d6199e596c365f5e7161656480100

SHA256
7ee9098ea2bc30eaea20eceb5e8cda620772c4ba2d7d6945e34ea93fb6054ccb

SHA512
de5f3cb695f1a10d897968668ea403721e09f9c66db796d932b8152edb1681dbac777efb63a2cff9d81380d09452f90470a8b77363a99f21421b9ff61fcb930a

Download Submit
memory/908-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/908-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3664-135-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download