ca7e2e079e91a22275d0aae69d717c4087e799d3aa845a421749f0208dea9ab2

Analysis

max time kernel
56s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 01:54

Target

ca7e2e079e91a22275d0aae69d717c4087e799d3aa845a421749f0208dea9ab2.dll
Size

180KB
MD5

8569e1da723c3eeaca31f91d0f03d130
SHA1

14b17d189f3793931128da9f544f9aadf01bb8c9
SHA256

ca7e2e079e91a22275d0aae69d717c4087e799d3aa845a421749f0208dea9ab2
SHA512

62cb682c4aab9e46368029966d2c10f2c3b9f7451614a5a08ce4f0325722052412ae742d463fc266d37e2f62fad0ec428fd4abcdf28c855f68ba231e5da23f5d
SSDEEP

3072:sn4cV8gf2u41Z5tKlqi6D76hjv5cQ2pQwN:e4y8gOl2F6DclcQMQw

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
752	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022f75-135.dat	upx
behavioral2/files/0x0006000000022f75-136.dat	upx
behavioral2/memory/752-137-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	752	WerFault.exe	80

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4044	880	rundll32.exe	79
PID 880 wrote to memory of 4044	880	rundll32.exe	79
PID 880 wrote to memory of 4044	880	rundll32.exe	79
PID 4044 wrote to memory of 752	4044	rundll32.exe	80
PID 4044 wrote to memory of 752	4044	rundll32.exe	80
PID 4044 wrote to memory of 752	4044	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca7e2e079e91a22275d0aae69d717c4087e799d3aa845a421749f0208dea9ab2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca7e2e079e91a22275d0aae69d717c4087e799d3aa845a421749f0208dea9ab2.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 268
      4⤵
      Program crash
      PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 752 -ip 752
1⤵
PID:5052

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
882bdc1a5338e812804c0da2b4f4fb9e

SHA1
8c2f20bb9bcc250e75dfabf19c6b1d794628458c

SHA256
0d310c2a700c9dee657aaa4beca2c1b2b7ebb39cae7df660147ad0b07542e883

SHA512
5429691d761a10fc2d5776ca397cf09a72c5e66250b789499fc3f2c1dc87229b0992faed565955b68d6ba512b3f8fa6c22321b1e973519275b417c6051aa124f

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
882bdc1a5338e812804c0da2b4f4fb9e

SHA1
8c2f20bb9bcc250e75dfabf19c6b1d794628458c

SHA256
0d310c2a700c9dee657aaa4beca2c1b2b7ebb39cae7df660147ad0b07542e883

SHA512
5429691d761a10fc2d5776ca397cf09a72c5e66250b789499fc3f2c1dc87229b0992faed565955b68d6ba512b3f8fa6c22321b1e973519275b417c6051aa124f

Download Submit
memory/752-134-0x0000000000000000-mapping.dmp

Download
memory/752-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4044-132-0x0000000000000000-mapping.dmp

Download
memory/4044-133-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download