c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:55

Target

c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll
Size

472KB
MD5

eeaac30a1688f59236aa5127644d6cc0
SHA1

61008c2b82ea846993d526daa0e85981b0583239
SHA256

c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966
SHA512

21ae16d90248bcd8a94a4953661b86346c9daaaf63e71afbbd6bc600e040630bedca40620e9449b423f7c72e6fa52ae69fd0156109a985991b62b54dbd3c1bcb
SSDEEP

12288:jehnaNPpSVZmNxRCwnwm3W3OHIIf53VO:jeh0PpS6NxNnwYeOHXD

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2164	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0001000000022e00-134.dat	upx
behavioral2/files/0x0001000000022e00-135.dat	upx
behavioral2/memory/2164-137-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3772	5044	WerFault.exe	81
3812	2164	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 5044	4180	rundll32.exe	81
PID 4180 wrote to memory of 5044	4180	rundll32.exe	81
PID 4180 wrote to memory of 5044	4180	rundll32.exe	81
PID 5044 wrote to memory of 2164	5044	rundll32.exe	82
PID 5044 wrote to memory of 2164	5044	rundll32.exe	82
PID 5044 wrote to memory of 2164	5044	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 268
      4⤵
      Program crash
      PID:3812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 616
    3⤵
    - Program crash
    PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2164 -ip 2164
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5044 -ip 5044
1⤵
PID:4196

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
dba1231fa077c41836df91398093d5a8

SHA1
9bd1adff712907f1cbff38194e7229af5d9b2938

SHA256
10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

SHA512
ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
dba1231fa077c41836df91398093d5a8

SHA1
9bd1adff712907f1cbff38194e7229af5d9b2938

SHA256
10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

SHA512
ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

Download Submit
memory/2164-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5044-136-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download