72bbde775dfdbf608c3e25fc6e63107b10ad645a2fd62a95e3a325490fbfcc19

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 17:52

Target

72bbde775dfdbf608c3e25fc6e63107b10ad645a2fd62a95e3a325490fbfcc19.dll
Size

16KB
MD5

a1bf355aad54dd81f382cab41f718600
SHA1

a63dbbd35ac479c3962a9eb906528fa5dfebf9e5
SHA256

72bbde775dfdbf608c3e25fc6e63107b10ad645a2fd62a95e3a325490fbfcc19
SHA512

7de800a3d3de339dc32ca8131a8440e524212ff3b2ada66d4fd71b99b9e4a56b54dc8e92790e5a7618b8530cc047f91c3b162bedf979a7b63caa0ca7a632c706
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzlk:SYW6rGpUIJmLNlXFbO

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1676-57-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	1676	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1092 wrote to memory of 1676	1092	rundll32.exe	27
PID 1676 wrote to memory of 1776	1676	rundll32.exe	28
PID 1676 wrote to memory of 1776	1676	rundll32.exe	28
PID 1676 wrote to memory of 1776	1676	rundll32.exe	28
PID 1676 wrote to memory of 1776	1676	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72bbde775dfdbf608c3e25fc6e63107b10ad645a2fd62a95e3a325490fbfcc19.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\72bbde775dfdbf608c3e25fc6e63107b10ad645a2fd62a95e3a325490fbfcc19.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 228
    3⤵
    - Program crash
    PID:1776

memory/1676-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1676-57-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download