e3eb3e50df9c3c20638f9da5f5dee7aaaaef0607abf04ecddace50017601b627

Analysis

max time kernel
153s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:49

Target

e3eb3e50df9c3c20638f9da5f5dee7aaaaef0607abf04ecddace50017601b627.dll
Size

472KB
MD5

d244182cbcd660b26578f55d9fcb4770
SHA1

bf0328fe0049c4b458c9fc6c51434ca2f5a01e30
SHA256

e3eb3e50df9c3c20638f9da5f5dee7aaaaef0607abf04ecddace50017601b627
SHA512

a469c8aaee38f8dc1a7bc174c69448dcdd0ec027f90627be39c0db223c84ba8364d716193f759f8e8faf06f81d812162cc7a5819cfa0f776f010b57342dac8a5
SSDEEP

12288:mehnaNPpSVZmNxRCwnwm3W3OHIIf5xtn7ZDG:meh0PpS6NxNnwYeOHXjV7ZDG

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2076	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000a000000022e36-134.dat	upx
behavioral2/files/0x000a000000022e36-135.dat	upx
behavioral2/memory/2076-137-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4248	2076	WerFault.exe	83
488	1400	WerFault.exe	71

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1400	2260	rundll32.exe	71
PID 2260 wrote to memory of 1400	2260	rundll32.exe	71
PID 2260 wrote to memory of 1400	2260	rundll32.exe	71
PID 1400 wrote to memory of 2076	1400	rundll32.exe	83
PID 1400 wrote to memory of 2076	1400	rundll32.exe	83
PID 1400 wrote to memory of 2076	1400	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3eb3e50df9c3c20638f9da5f5dee7aaaaef0607abf04ecddace50017601b627.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3eb3e50df9c3c20638f9da5f5dee7aaaaef0607abf04ecddace50017601b627.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 268
      4⤵
      Program crash
      PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 580
    3⤵
    - Program crash
    PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2076 -ip 2076
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1400 -ip 1400
1⤵
PID:4240

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
91b07c6f70654a26ca1cd8cde6fb2a7e

SHA1
789629859ed76191432fd7ab40cfa0487b580a6e

SHA256
37417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15

SHA512
077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
91b07c6f70654a26ca1cd8cde6fb2a7e

SHA1
789629859ed76191432fd7ab40cfa0487b580a6e

SHA256
37417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15

SHA512
077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2

Download Submit
memory/1400-136-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/2076-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download