7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f

Analysis

max time kernel
285s
max time network
341s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 06:33

Target

7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll
Size

564KB
MD5

aa952608fe5ae9acf13b3ba7d51130a0
SHA1

57352f83b167a06242e9010561a80f387fc6d7b7
SHA256

7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f
SHA512

0bf32e8e419b3b58f479dc375ec8d3fc38f5de626f991596b7c2b582feebdc2cae664566f8141c42b111baf39a8820a9a35a501c1402096f6f8450eaea352a60
SSDEEP

12288:Yh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNZYE6N:Y8F+Pzr/Hfp4MIYwZckMQmGv

Score

8^/10

upx

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4432 rundll32mgr.exe

pid	process
4432	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32mgr.exe	upx
C:\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral2/memory/4432-136-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 4432 WerFault.exe rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
1696	4432	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exe

description	pid	process	target process
PID 1600 wrote to memory of 3572	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 3572	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 3572	1600	rundll32.exe	rundll32.exe
PID 3572 wrote to memory of 4432	3572	rundll32.exe	rundll32mgr.exe
PID 3572 wrote to memory of 4432	3572	rundll32.exe	rundll32mgr.exe
PID 3572 wrote to memory of 4432	3572	rundll32.exe	rundll32mgr.exe
PID 4432 wrote to memory of 1696	4432	rundll32mgr.exe	WerFault.exe
PID 4432 wrote to memory of 1696	4432	rundll32mgr.exe	WerFault.exe
PID 4432 wrote to memory of 1696	4432	rundll32mgr.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff0f669c10916810edbbf54772b36811250b3ff8208086087906702fffb247f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 260
4⤵
- Program crash
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4432 -ip 4432
1⤵
PID:3996

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
memory/1696-137-0x0000000000000000-mapping.dmp

Download
memory/3572-132-0x0000000000000000-mapping.dmp

Download
memory/4432-133-0x0000000000000000-mapping.dmp

Download
memory/4432-136-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download