0ba75fc2fe07c95f8a3ba6ac4c2ef6eff13b328fc90675712d11aadc02ba0a74

Analysis

max time kernel
217s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:32

Target

0ba75fc2fe07c95f8a3ba6ac4c2ef6eff13b328fc90675712d11aadc02ba0a74.dll
Size

180KB
MD5

2c48e3c1d0ef419399c5fdcc203b5be0
SHA1

83946effc3c94a7ed934ac5342701f386f575e3f
SHA256

0ba75fc2fe07c95f8a3ba6ac4c2ef6eff13b328fc90675712d11aadc02ba0a74
SHA512

e0534d556169be6910210ef2616a0caf05a78c5fc41e9dc76d32d00a6daf4af1a69f148dadfb6c5a496a7188383b3c8c239bf0e5e03ac0f8d735cb4ae826262a
SSDEEP

3072:Rn4cV8gf2u41Z5tKlLMNaBaTvxpIpOPgEm0:F4y8gOl2XBspGpmHm

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2564	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022deb-135.dat	upx
behavioral2/files/0x0006000000022deb-136.dat	upx
behavioral2/memory/2564-137-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4824	2564	WerFault.exe	84

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3436	4988	rundll32.exe	82
PID 4988 wrote to memory of 3436	4988	rundll32.exe	82
PID 4988 wrote to memory of 3436	4988	rundll32.exe	82
PID 3436 wrote to memory of 2564	3436	rundll32.exe	84
PID 3436 wrote to memory of 2564	3436	rundll32.exe	84
PID 3436 wrote to memory of 2564	3436	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ba75fc2fe07c95f8a3ba6ac4c2ef6eff13b328fc90675712d11aadc02ba0a74.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ba75fc2fe07c95f8a3ba6ac4c2ef6eff13b328fc90675712d11aadc02ba0a74.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 268
      4⤵
      Program crash
      PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2564 -ip 2564
1⤵
PID:4172

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
882bdc1a5338e812804c0da2b4f4fb9e

SHA1
8c2f20bb9bcc250e75dfabf19c6b1d794628458c

SHA256
0d310c2a700c9dee657aaa4beca2c1b2b7ebb39cae7df660147ad0b07542e883

SHA512
5429691d761a10fc2d5776ca397cf09a72c5e66250b789499fc3f2c1dc87229b0992faed565955b68d6ba512b3f8fa6c22321b1e973519275b417c6051aa124f

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
882bdc1a5338e812804c0da2b4f4fb9e

SHA1
8c2f20bb9bcc250e75dfabf19c6b1d794628458c

SHA256
0d310c2a700c9dee657aaa4beca2c1b2b7ebb39cae7df660147ad0b07542e883

SHA512
5429691d761a10fc2d5776ca397cf09a72c5e66250b789499fc3f2c1dc87229b0992faed565955b68d6ba512b3f8fa6c22321b1e973519275b417c6051aa124f

Download Submit
memory/2564-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download