9d43d17dd5e068efca162758f6f30d66bb18d7bfd7ce1aeaf477c1916c01429e

Analysis

max time kernel
222s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:19

Target

9d43d17dd5e068efca162758f6f30d66bb18d7bfd7ce1aeaf477c1916c01429e.dll
Size

16KB
MD5

f65e600683713d56536993a77d976c60
SHA1

7ed03bd61b3cf20e501b5b5593de9e97f98376b6
SHA256

9d43d17dd5e068efca162758f6f30d66bb18d7bfd7ce1aeaf477c1916c01429e
SHA512

12e10192dfb61fb00b78ed4b3d8520890d0179c77bc08519f18868c308e8c64e84c1a58c0f55625f1073446616a97b02ef592994d73609f7d7517d892cc070f5
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzlI:SYW6rGpUIJmLNlXFba

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1940-57-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	1940	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 580 wrote to memory of 1940	580	rundll32.exe	28
PID 1940 wrote to memory of 1768	1940	rundll32.exe	29
PID 1940 wrote to memory of 1768	1940	rundll32.exe	29
PID 1940 wrote to memory of 1768	1940	rundll32.exe	29
PID 1940 wrote to memory of 1768	1940	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d43d17dd5e068efca162758f6f30d66bb18d7bfd7ce1aeaf477c1916c01429e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d43d17dd5e068efca162758f6f30d66bb18d7bfd7ce1aeaf477c1916c01429e.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 228
    3⤵
    - Program crash
    PID:1768

memory/1940-55-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/1940-57-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download