bd96acddb02f667ec69165ccc69e42337f4210c69bc3d356e789ff93b304dee3

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:57

Target

bd96acddb02f667ec69165ccc69e42337f4210c69bc3d356e789ff93b304dee3.dll
Size

341KB
MD5

af2cfa38d23ba266a7c358f21a302e20
SHA1

0c0664a60c3bccd229c1400c2f08d439b6f16fd6
SHA256

bd96acddb02f667ec69165ccc69e42337f4210c69bc3d356e789ff93b304dee3
SHA512

3957f537fda6c761c306d638b9972c9de77127c3963c73e452d95c7ee3dcbb0a96f1e645c2f156fefb575438f15baec87000984619fb5c962c7102ea0017124c
SSDEEP

6144:SxGMku94XCzTurXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01k:SxGCOXzURlbDC9K69u2m+SqOWcsQQKiM

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
5104	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000b00000002171d-134.dat	upx
behavioral2/files/0x000b00000002171d-135.dat	upx
behavioral2/memory/5104-137-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3176	5104	WerFault.exe	81
1656	528	WerFault.exe	80

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 528	3496	rundll32.exe	80
PID 3496 wrote to memory of 528	3496	rundll32.exe	80
PID 3496 wrote to memory of 528	3496	rundll32.exe	80
PID 528 wrote to memory of 5104	528	rundll32.exe	81
PID 528 wrote to memory of 5104	528	rundll32.exe	81
PID 528 wrote to memory of 5104	528	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd96acddb02f667ec69165ccc69e42337f4210c69bc3d356e789ff93b304dee3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd96acddb02f667ec69165ccc69e42337f4210c69bc3d356e789ff93b304dee3.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:5104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 260
      4⤵
      Program crash
      PID:3176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 636
    3⤵
    - Program crash
    PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5104 -ip 5104
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 528 -ip 528
1⤵
PID:1020

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
129KB

MD5
0344a3aa574e9d0e0f5593ed1b4cb88b

SHA1
951fe2b0b4678199676e71838d91dddf762fa79d

SHA256
93f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded

SHA512
31e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc

Download Submit
memory/528-136-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/5104-137-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download