9b2e2365015a57836207c6c01ae9af5183d5f1dd26fce77909b1229585f57125

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 20:35

Target

9b2e2365015a57836207c6c01ae9af5183d5f1dd26fce77909b1229585f57125.dll
Size

1012KB
MD5

02fd39c4639ff1fdd869ac836acde0f6
SHA1

670a2b04058d9e381acb1ecba99b75cc71fc6b60
SHA256

9b2e2365015a57836207c6c01ae9af5183d5f1dd26fce77909b1229585f57125
SHA512

226f5b4cfe8798d978fa08773e5049233971f0eb0a87ec6db7a82aa14d3c29c26a3bf34858e27ecd153faf7e10230f692107e5fb6a37fb101a98a70241f1db34
SSDEEP

6144:fS44s8Wkco+60cg75jF2ymYw4CJWk1EoEbC:qSls+lRFllCJJ

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
1036	rundll32.exe
1036	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\andasebxand.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\andasebxand.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3420	1036	WerFault.exe	79

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1036	3528	rundll32.exe	79
PID 3528 wrote to memory of 1036	3528	rundll32.exe	79
PID 3528 wrote to memory of 1036	3528	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b2e2365015a57836207c6c01ae9af5183d5f1dd26fce77909b1229585f57125.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b2e2365015a57836207c6c01ae9af5183d5f1dd26fce77909b1229585f57125.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 896
    3⤵
    - Program crash
    PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1036 -ip 1036
1⤵
PID:1148

C:\Windows\SysWOW64\andasebxand.dll

Filesize
2.1MB

MD5
84bb96cb25e1a0a6b6e4875a0d2bd028

SHA1
4dca7522a4fda7f4b3f1b880d35673bc9202a2c0

SHA256
6cc648395f61efd2ef610c2232659e27d390d3e62ad7d6186e5fb6b392ff4148

SHA512
ee72c9d5860c777266cb51b5f95491590255e1f0c4bcb2e4f059169eb45623ebe27d291fa81ad05d722eeb7384436cc435440f39e2e93d4a1dd5b7f834ea19e2

Download Submit
C:\Windows\SysWOW64\andasebxand.dll

Filesize
2.1MB

MD5
84bb96cb25e1a0a6b6e4875a0d2bd028

SHA1
4dca7522a4fda7f4b3f1b880d35673bc9202a2c0

SHA256
6cc648395f61efd2ef610c2232659e27d390d3e62ad7d6186e5fb6b392ff4148

SHA512
ee72c9d5860c777266cb51b5f95491590255e1f0c4bcb2e4f059169eb45623ebe27d291fa81ad05d722eeb7384436cc435440f39e2e93d4a1dd5b7f834ea19e2

Download Submit
memory/1036-134-0x0000000001520000-0x0000000001578000-memory.dmp

Filesize
352KB

Download
memory/1036-141-0x00000000013D0000-0x00000000013D8000-memory.dmp

Filesize
32KB

Download
memory/1036-148-0x0000000001590000-0x00000000015CE000-memory.dmp

Filesize
248KB

Download
memory/1036-150-0x00000000032F0000-0x0000000003348000-memory.dmp

Filesize
352KB

Download
memory/1036-157-0x00000000015D0000-0x00000000015D8000-memory.dmp

Filesize
32KB

Download