a423ac2a676c1bb40062a2901bda55498455d3c1c413081fa7af0043a477f7ef

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a423ac2a676c1bb40062a2901bda55498455d3c1c413081fa7af0043a477f7ef.dll
Size

353KB
MD5

223ac5eaa0f2d7ad648a16a5520cea94
SHA1

6bdb079fde8e1dfbccdf5d483d57ee782defba96
SHA256

a423ac2a676c1bb40062a2901bda55498455d3c1c413081fa7af0043a477f7ef
SHA512

bc6fdd707a23f8108fe26660a8b023c53aef241d3f26a0a6fe859167d7c894dcbc1763981ab833751bd3701dfef0a07af6c0b7083d482008148b4cc42f90ec66
SSDEEP

6144:XCIGPj038tAgFMldWNX+bTpAJJDz1xtSczZ7kFI:sj038t/FMldW4bTiJJ3tSOKI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1728	rundll32mgr.exe
952	rundll32mgrmgr.exe

Loads dropped DLL 18 IoCs

pid	Process
1240	rundll32.exe
1240	rundll32.exe
1728	rundll32mgr.exe
1728	rundll32mgr.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1652	WerFault.exe
1548	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1600	1240	WerFault.exe	28
1548	1728	WerFault.exe	29
1652	952	WerFault.exe	30

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 580 wrote to memory of 1240	580	rundll32.exe	28
PID 1240 wrote to memory of 1728	1240	rundll32.exe	29
PID 1240 wrote to memory of 1728	1240	rundll32.exe	29
PID 1240 wrote to memory of 1728	1240	rundll32.exe	29
PID 1240 wrote to memory of 1728	1240	rundll32.exe	29
PID 1728 wrote to memory of 952	1728	rundll32mgr.exe	30
PID 1728 wrote to memory of 952	1728	rundll32mgr.exe	30
PID 1728 wrote to memory of 952	1728	rundll32mgr.exe	30
PID 1728 wrote to memory of 952	1728	rundll32mgr.exe	30
PID 1240 wrote to memory of 1600	1240	rundll32.exe	31
PID 1240 wrote to memory of 1600	1240	rundll32.exe	31
PID 1240 wrote to memory of 1600	1240	rundll32.exe	31
PID 1240 wrote to memory of 1600	1240	rundll32.exe	31
PID 1728 wrote to memory of 1548	1728	rundll32mgr.exe	32
PID 1728 wrote to memory of 1548	1728	rundll32mgr.exe	32
PID 1728 wrote to memory of 1548	1728	rundll32mgr.exe	32
PID 1728 wrote to memory of 1548	1728	rundll32mgr.exe	32
PID 952 wrote to memory of 1652	952	rundll32mgrmgr.exe	33
PID 952 wrote to memory of 1652	952	rundll32mgrmgr.exe	33
PID 952 wrote to memory of 1652	952	rundll32mgrmgr.exe	33
PID 952 wrote to memory of 1652	952	rundll32mgrmgr.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a423ac2a676c1bb40062a2901bda55498455d3c1c413081fa7af0043a477f7ef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a423ac2a676c1bb40062a2901bda55498455d3c1c413081fa7af0043a477f7ef.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 100
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 228
    3⤵
    - Program crash
    PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
186KB

MD5
f944fdb0929660b9d7626ee746f531bf

SHA1
a5e053e6f8c3b2af2f2ce89412bf6b95e1a0f1e5

SHA256
e24a5028e40fa02f1a0e9420df48efa2b67acc4d3a2a5c45d4f6653e9334d7a8

SHA512
917a8f0b84968f6e2d0d28a2afc39088344eaf946bbc006712413905acfe07b5fbabdb28ae15acdf5c38a2cf4cf7ca1766f34fd5dc3f339d8425a43825f05a53

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
92KB

MD5
f6830df60354eff567ac1906e9db1ae6

SHA1
be512d8136aace9ec6d74cd96bd0f0d970a427e3

SHA256
5f0102011f16261efdbb31df52316e2307d4c9a3a3bc9b3a462f07191432d616

SHA512
80a33e363ccec283a47254a13b3ac3d7784c2e672c5843de8ddd01630722c72b2e25745331a6f8eee240e7407ced6ae56bd4dbf9ac92b2dde9406217a4c8f483

Download Submit
memory/952-83-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1240-79-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download
memory/1240-80-0x00000000007D0000-0x0000000000897000-memory.dmp

Filesize
796KB

Download
memory/1240-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1728-82-0x0000000002280000-0x000000000232F000-memory.dmp

Filesize
700KB

Download
memory/1728-81-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads