05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8

Analysis

max time kernel
164s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 08:02

Target

05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8.dll
Size

220KB
MD5

b59ed84dbc08015813c0c130c26e73a0
SHA1

b7a5ca241d0e87b5212d239338b7c4ebb196f2cf
SHA256

05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8
SHA512

bb512c9228e4f4a5313d57e5057674dfa1bc12a3f33b80da9009fbdf0d335f3ac8999a91b120e0dcf32720499d207c6643c6b66d836afc6581c9dda81ee0582c
SSDEEP

3072:An4cV8gf2u41Z5tKlz/HotMsckWuKws2ZBkB13nfydzJB7Z10hFW0F:a4y8gOl2poas/WIkj+TtehFRF

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2844	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0008000000022e17-135.dat	upx
behavioral2/files/0x0008000000022e17-136.dat	upx
behavioral2/memory/2844-137-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
212	2844	WerFault.exe	78

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3524	1140	rundll32.exe	77
PID 1140 wrote to memory of 3524	1140	rundll32.exe	77
PID 1140 wrote to memory of 3524	1140	rundll32.exe	77
PID 3524 wrote to memory of 2844	3524	rundll32.exe	78
PID 3524 wrote to memory of 2844	3524	rundll32.exe	78
PID 3524 wrote to memory of 2844	3524	rundll32.exe	78

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\05b8b34640d145a0b2ff6852313ef68e027ec4fad5ba6c7a3f4fe70227a834c8.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 260
      4⤵
      Program crash
      PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2844 -ip 2844
1⤵
PID:1752

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
memory/2844-137-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3524-133-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download