05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 08:02

Target

05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8.dll
Size

220KB
MD5

b59ed84dbc08015813c0c130c26e73a0
SHA1

b7a5ca241d0e87b5212d239338b7c4ebb196f2cf
SHA256

05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8
SHA512

bb512c9228e4f4a5313d57e5057674dfa1bc12a3f33b80da9009fbdf0d335f3ac8999a91b120e0dcf32720499d207c6643c6b66d836afc6581c9dda81ee0582c
SSDEEP

3072:An4cV8gf2u41Z5tKlz/HotMsckWuKws2ZBkB13nfydzJB7Z10hFW0F:a4y8gOl2poas/WIkj+TtehFRF

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1932	rundll32mgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/1932-60-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1664	rundll32.exe
1664	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1132 wrote to memory of 1664	1132	rundll32.exe	28
PID 1664 wrote to memory of 1932	1664	rundll32.exe	29
PID 1664 wrote to memory of 1932	1664	rundll32.exe	29
PID 1664 wrote to memory of 1932	1664	rundll32.exe	29
PID 1664 wrote to memory of 1932	1664	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1932

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
memory/1664-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1932-60-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download