fbaa8ecd43d8424a8cb783fb79eed03a7c3a723d532a466f684fb905d4067c95

Analysis

max time kernel
281s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:44

Target

fbaa8ecd43d8424a8cb783fb79eed03a7c3a723d532a466f684fb905d4067c95.dll
Size

472KB
MD5

f95e647386993dfe4c12f602d15c3f00
SHA1

ae0e3377a4e66d018f1796b616f483e3de7dbaab
SHA256

fbaa8ecd43d8424a8cb783fb79eed03a7c3a723d532a466f684fb905d4067c95
SHA512

33eba483939780f586989a3a004e869f9c29301407a09bc86b87daedfd5cefd783cff7f4ec3ee921df6ecfb13574070e452f65c049075f4edb17ca318eb34694
SSDEEP

12288:6ehnaNPpSVZmNxRCwnwm3W3OHIIf5IYnA:6eh0PpS6NxNnwYeOHX1nA

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4740	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000b000000022de3-135.dat	upx
behavioral2/files/0x000b000000022de3-134.dat	upx
behavioral2/memory/4740-137-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3544	4740	WerFault.exe	81
3212	4380	WerFault.exe	79

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4380	60	rundll32.exe	79
PID 60 wrote to memory of 4380	60	rundll32.exe	79
PID 60 wrote to memory of 4380	60	rundll32.exe	79
PID 4380 wrote to memory of 4740	4380	rundll32.exe	81
PID 4380 wrote to memory of 4740	4380	rundll32.exe	81
PID 4380 wrote to memory of 4740	4380	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbaa8ecd43d8424a8cb783fb79eed03a7c3a723d532a466f684fb905d4067c95.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbaa8ecd43d8424a8cb783fb79eed03a7c3a723d532a466f684fb905d4067c95.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:4740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 268
      4⤵
      Program crash
      PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 608
    3⤵
    - Program crash
    PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 4740
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 4380
1⤵
PID:3692

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
1be1f21cd2a60ced5a3acd404a1f2ea6

SHA1
fff6a565164de7098aa12ee4d45dc90b15e465a8

SHA256
f35ddd14ca635ae01b84248809b5e73ba03bde56ee1b0a1595109d3e6d87f8d1

SHA512
8f78a9b1a6f29e15bc729be9157bfc6f745989e27d65cd13d1ef2238b3bf58069dfbd4ba17a0cec0395ed87f98ba99bfc80f5410aa8611c2fc2861c001930ff7

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
1be1f21cd2a60ced5a3acd404a1f2ea6

SHA1
fff6a565164de7098aa12ee4d45dc90b15e465a8

SHA256
f35ddd14ca635ae01b84248809b5e73ba03bde56ee1b0a1595109d3e6d87f8d1

SHA512
8f78a9b1a6f29e15bc729be9157bfc6f745989e27d65cd13d1ef2238b3bf58069dfbd4ba17a0cec0395ed87f98ba99bfc80f5410aa8611c2fc2861c001930ff7

Download Submit
memory/4380-136-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/4380-138-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/4740-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download