72b2a44b468f442b9dbde86bf33c36fb83530bc3dd8efc76d9c2321e7b6cfe3a

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:19

Target

72b2a44b468f442b9dbde86bf33c36fb83530bc3dd8efc76d9c2321e7b6cfe3a.dll
Size

16KB
MD5

c2477c2061085f10d7446db144e591b0
SHA1

42b46422d89865cd38524976428bff1b88b93b86
SHA256

72b2a44b468f442b9dbde86bf33c36fb83530bc3dd8efc76d9c2321e7b6cfe3a
SHA512

644857fcb060b778ceb47c4db1387184043d7bd28412dd4e52d68892b0a5678067f08d25d7f13ccb96603ccda9fb19969f9bc3dd1ee78e161f3bec054c6fb2a7
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzlQ9:SYW6rGpUIJmLNlXFbq

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/928-57-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1300	928	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 992 wrote to memory of 928	992	rundll32.exe	27
PID 928 wrote to memory of 1300	928	rundll32.exe	28
PID 928 wrote to memory of 1300	928	rundll32.exe	28
PID 928 wrote to memory of 1300	928	rundll32.exe	28
PID 928 wrote to memory of 1300	928	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72b2a44b468f442b9dbde86bf33c36fb83530bc3dd8efc76d9c2321e7b6cfe3a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\72b2a44b468f442b9dbde86bf33c36fb83530bc3dd8efc76d9c2321e7b6cfe3a.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 228
    3⤵
    - Program crash
    PID:1300

memory/928-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/928-57-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download