d5dc83a56fa63c3efdbc8cc69b33e9fb37e86d273b36c90dbd2e674c47534ecd

Analysis

max time kernel
147s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5dc83a56fa63c3efdbc8cc69b33e9fb37e86d273b36c90dbd2e674c47534ecd.dll
Size

295KB
MD5

bfb47572d8d0261e03e7d8cb6e65aa60
SHA1

e508eb2bd9c831eca0c5908f1bf121f69f820640
SHA256

d5dc83a56fa63c3efdbc8cc69b33e9fb37e86d273b36c90dbd2e674c47534ecd
SHA512

155ef8cd7991bc72471a45185f51301dc3a5d2353b7d28c793276e8f3a29c3df2d06d66b549d7cacaf644f1d3a11849b2c8bcef79c62759f30a34cf085a36d0e
SSDEEP

6144:BCIGPj038tAgFMldWNX+sf5SbL18+RnE1HM:qj038t/FMldW420ZRnT

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1412	rundll32mgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/memory/1412-62-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1412-63-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1396	rundll32.exe
1396	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
816	1396	WerFault.exe	27

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 952 wrote to memory of 1396	952	rundll32.exe	27
PID 1396 wrote to memory of 1412	1396	rundll32.exe	28
PID 1396 wrote to memory of 1412	1396	rundll32.exe	28
PID 1396 wrote to memory of 1412	1396	rundll32.exe	28
PID 1396 wrote to memory of 1412	1396	rundll32.exe	28
PID 1396 wrote to memory of 816	1396	rundll32.exe	29
PID 1396 wrote to memory of 816	1396	rundll32.exe	29
PID 1396 wrote to memory of 816	1396	rundll32.exe	29
PID 1396 wrote to memory of 816	1396	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5dc83a56fa63c3efdbc8cc69b33e9fb37e86d273b36c90dbd2e674c47534ecd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5dc83a56fa63c3efdbc8cc69b33e9fb37e86d273b36c90dbd2e674c47534ecd.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 228
    3⤵
    - Program crash
    PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
memory/1396-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1396-60-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/1396-61-0x0000000000330000-0x0000000000391000-memory.dmp

Filesize
388KB

Download
memory/1396-65-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/1412-62-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1412-63-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download