293277bae19a6ab3a9da50644a956c22d83ee198214d03c3f2c2e5b49c4332c6

Analysis

max time kernel
233s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 14:35

Target

293277bae19a6ab3a9da50644a956c22d83ee198214d03c3f2c2e5b49c4332c6.dll
Size

16KB
MD5

6eb3d2c0227e3414f5fad94c9d6ed770
SHA1

4c05e57102661cef5cba40d9a31754b7814b9831
SHA256

293277bae19a6ab3a9da50644a956c22d83ee198214d03c3f2c2e5b49c4332c6
SHA512

63ad971692feeaaf2e0e82c9a604fb553f6c08c0d4009bd0076a64a1063823dbb2819c4764c9936bf00a070bb610ef31866915b45d23d84fcb93c1e7a84a1351
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzlw:SYW6rGpUIJmLNlXFba

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/672-57-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1472	672	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 520 wrote to memory of 672	520	rundll32.exe	28
PID 672 wrote to memory of 1472	672	rundll32.exe	29
PID 672 wrote to memory of 1472	672	rundll32.exe	29
PID 672 wrote to memory of 1472	672	rundll32.exe	29
PID 672 wrote to memory of 1472	672	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\293277bae19a6ab3a9da50644a956c22d83ee198214d03c3f2c2e5b49c4332c6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\293277bae19a6ab3a9da50644a956c22d83ee198214d03c3f2c2e5b49c4332c6.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 228
    3⤵
    - Program crash
    PID:1472

memory/672-54-0x0000000000000000-mapping.dmp

Download
memory/672-55-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/672-57-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1472-56-0x0000000000000000-mapping.dmp

Download