d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b

Analysis

max time kernel
18s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b.dll
Size

622KB
MD5

0410cb071b28551a84b14f8fd635131f
SHA1

b4e952344d2ed614c6c88c1fdff8382a58e4e790
SHA256

d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b
SHA512

afbe2b9cc7d1176463d29d067c99832d2fa72337d5f11e0046299c045e4fe398cad677e481fb319652e16d5f378665f9c17acae65789671e858c0467285dd84d
SSDEEP

12288:8h8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNRTiJJ3tSOK8:88F+Pzr/Hfp4MIYwZckMQmRPOK8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1400	rundll32mgr.exe
1076	rundll32mgrmgr.exe

Loads dropped DLL 18 IoCs

pid	Process
1432	rundll32.exe
1432	rundll32.exe
1400	rundll32mgr.exe
1400	rundll32mgr.exe
2004	WerFault.exe
852	WerFault.exe
852	WerFault.exe
2004	WerFault.exe
852	WerFault.exe
852	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
852	WerFault.exe
2004	WerFault.exe
852	WerFault.exe
2004	WerFault.exe
852	WerFault.exe
2004	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
852	1400	WerFault.exe	29
2004	1076	WerFault.exe	30

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 576 wrote to memory of 1432	576	rundll32.exe	28
PID 1432 wrote to memory of 1400	1432	rundll32.exe	29
PID 1432 wrote to memory of 1400	1432	rundll32.exe	29
PID 1432 wrote to memory of 1400	1432	rundll32.exe	29
PID 1432 wrote to memory of 1400	1432	rundll32.exe	29
PID 1400 wrote to memory of 1076	1400	rundll32mgr.exe	30
PID 1400 wrote to memory of 1076	1400	rundll32mgr.exe	30
PID 1400 wrote to memory of 1076	1400	rundll32mgr.exe	30
PID 1400 wrote to memory of 1076	1400	rundll32mgr.exe	30
PID 1076 wrote to memory of 2004	1076	rundll32mgrmgr.exe	32
PID 1076 wrote to memory of 2004	1076	rundll32mgrmgr.exe	32
PID 1076 wrote to memory of 2004	1076	rundll32mgrmgr.exe	32
PID 1076 wrote to memory of 2004	1076	rundll32mgrmgr.exe	32
PID 1400 wrote to memory of 852	1400	rundll32mgr.exe	31
PID 1400 wrote to memory of 852	1400	rundll32mgr.exe	31
PID 1400 wrote to memory of 852	1400	rundll32mgr.exe	31
PID 1400 wrote to memory of 852	1400	rundll32mgr.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0838f8688dd42d6441c63f1cc18f135996b4b37c240e26cec3b102aee20a52b.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 100
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
memory/1076-82-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1400-80-0x0000000000230000-0x00000000002DF000-memory.dmp

Filesize
700KB

Download
memory/1400-81-0x0000000000230000-0x00000000002DF000-memory.dmp

Filesize
700KB

Download
memory/1400-83-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1432-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads