92dbc60ec97369b8f53fcf9d68f9d52de62f58657660ecf5cab8175b50fc3410

Analysis

max time kernel
132s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 12:15

Target

92dbc60ec97369b8f53fcf9d68f9d52de62f58657660ecf5cab8175b50fc3410.dll
Size

556KB
MD5

bacfa1c655a9ebf327c9194eb30a0db0
SHA1

f1a64a940a8ae2cae04e0e5aa6ba279e681f3cf8
SHA256

92dbc60ec97369b8f53fcf9d68f9d52de62f58657660ecf5cab8175b50fc3410
SHA512

5ee217db9299771327e94c467dfda713524385de98d2dedc881d2a9b5e6325401bd7fa4fb1e1989c901fe78df019abdf7da93e1ab79c070a29c168af910f953c
SSDEEP

12288:5ehnaNPpSVZmNxRCwnwm3W3OHIIf5433xnk7tfJ9:5eh0PpS6NxNnwYeOHX23BuJJ9

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
3208	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022f5c-134.dat	upx
behavioral2/files/0x0006000000022f5c-135.dat	upx
behavioral2/memory/3208-137-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4856	3208	WerFault.exe	79
4952	3796	WerFault.exe	78

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3796	4512	rundll32.exe	78
PID 4512 wrote to memory of 3796	4512	rundll32.exe	78
PID 4512 wrote to memory of 3796	4512	rundll32.exe	78
PID 3796 wrote to memory of 3208	3796	rundll32.exe	79
PID 3796 wrote to memory of 3208	3796	rundll32.exe	79
PID 3796 wrote to memory of 3208	3796	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92dbc60ec97369b8f53fcf9d68f9d52de62f58657660ecf5cab8175b50fc3410.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\92dbc60ec97369b8f53fcf9d68f9d52de62f58657660ecf5cab8175b50fc3410.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:3208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 264
      4⤵
      Program crash
      PID:4856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 608
    3⤵
    - Program crash
    PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3208 -ip 3208
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3796 -ip 3796
1⤵
PID:4420

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
171KB

MD5
9d974a4a25bb580835ecf77e9bb75e77

SHA1
2743ede3c4832b7ca5ea5d1a320c269dc9eaa13e

SHA256
75b792ef1e1aed47ad12db96a2748187eb154c826d0046bc4cbc37c245d34ed5

SHA512
1a07160b1e8e9cf136c0445b534611f42b8d1f1313ebd77ebb493a4cf9506db855831007bc5f994e63e6218ef64bb897c6badb626f2fe2ba49ce7c5f98abcd86

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
171KB

MD5
9d974a4a25bb580835ecf77e9bb75e77

SHA1
2743ede3c4832b7ca5ea5d1a320c269dc9eaa13e

SHA256
75b792ef1e1aed47ad12db96a2748187eb154c826d0046bc4cbc37c245d34ed5

SHA512
1a07160b1e8e9cf136c0445b534611f42b8d1f1313ebd77ebb493a4cf9506db855831007bc5f994e63e6218ef64bb897c6badb626f2fe2ba49ce7c5f98abcd86

Download Submit
memory/3208-133-0x0000000000000000-mapping.dmp

Download
memory/3208-137-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3796-132-0x0000000000000000-mapping.dmp

Download
memory/3796-136-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download