4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:22

Target

4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll
Size

440KB
MD5

c50fd275bcad485892e77bba221364a0
SHA1

0f8f4f0e65f87e075c4a19ec1bb861b031281655
SHA256

4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e
SHA512

0816a58f9ff4dba5db4170beda99fa8e9eaaeb9b0000fe8f54169c948bccfb5678de9ce0dba8e60013efbbd278b4fb1dc53bbc6f641829330b48de52e3d734b6
SSDEEP

6144:DhwcskkkkknffCp5CrRKlua3Bo3EWSUxiQibG69VillCE:1wqqPo3NSJbG69VICE

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4320	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022e03-134.dat	upx
behavioral2/files/0x0006000000022e03-135.dat	upx
behavioral2/memory/4320-137-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	4320	WerFault.exe	81

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2280	4532	rundll32.exe	80
PID 4532 wrote to memory of 2280	4532	rundll32.exe	80
PID 4532 wrote to memory of 2280	4532	rundll32.exe	80
PID 2280 wrote to memory of 4320	2280	rundll32.exe	81
PID 2280 wrote to memory of 4320	2280	rundll32.exe	81
PID 2280 wrote to memory of 4320	2280	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 272
      4⤵
      Program crash
      PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4320 -ip 4320
1⤵
PID:4620

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
memory/2280-136-0x0000000010000000-0x000000001006F000-memory.dmp

Filesize
444KB

Download
memory/4320-137-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download