5dceb07b359fb2d8340059be821351742597ce64cbf538d966a88058dd361d94

Analysis

max time kernel
4s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 17:53

Target

5dceb07b359fb2d8340059be821351742597ce64cbf538d966a88058dd361d94.dll
Size

16KB
MD5

22ae803ced7ddca78e88b49ee0e1df80
SHA1

96d7b128baf52c22ffd3156a5aea767e7cbdb8ee
SHA256

5dceb07b359fb2d8340059be821351742597ce64cbf538d966a88058dd361d94
SHA512

dfa11f4d0b506f6c75eba8c09ffba77e9b531c7b4f29220adce8b6f9f738d85f5c38d956d95577df6d62da59836df09386454d6a8e3a786fab554ac33f916292
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzlI:SYW6rGpUIJmLNlXFby

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/868-57-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	868	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 1316 wrote to memory of 868	1316	rundll32.exe	28
PID 868 wrote to memory of 1496	868	rundll32.exe	29
PID 868 wrote to memory of 1496	868	rundll32.exe	29
PID 868 wrote to memory of 1496	868	rundll32.exe	29
PID 868 wrote to memory of 1496	868	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5dceb07b359fb2d8340059be821351742597ce64cbf538d966a88058dd361d94.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5dceb07b359fb2d8340059be821351742597ce64cbf538d966a88058dd361d94.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 228
    3⤵
    - Program crash
    PID:1496

memory/868-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/868-57-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download