3496f0b95ab1e34ba50e9fd378fdf536692bd9c75d10f95e04e6deb60684e47f

Analysis

max time kernel
153s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:26

Target

3496f0b95ab1e34ba50e9fd378fdf536692bd9c75d10f95e04e6deb60684e47f.dll
Size

180KB
MD5

9c73c76055cc59b5bc931dd3d97af240
SHA1

8accf73064536bfc62741530e0cc39cfb2293aa6
SHA256

3496f0b95ab1e34ba50e9fd378fdf536692bd9c75d10f95e04e6deb60684e47f
SHA512

9b7ce38c429e01b06fb2ff33737ae755dd53c8dc08cc91d68f7974ff8f7c5724f630f4aaac54707535ef9297b5b37f9588b1c91cf03475cd22577432d9636a64
SSDEEP

3072:Yn4cV8gf2u41Z5tKlnk0cA+yJWbg5nxw64ApZb8fi:y4y8gOl2G05Ju64w8q

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
3472	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022e3e-135.dat	upx
behavioral2/files/0x0006000000022e3e-136.dat	upx
behavioral2/memory/3472-137-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4592	3472	WerFault.exe	86

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1468	2908	rundll32.exe	83
PID 2908 wrote to memory of 1468	2908	rundll32.exe	83
PID 2908 wrote to memory of 1468	2908	rundll32.exe	83
PID 1468 wrote to memory of 3472	1468	rundll32.exe	86
PID 1468 wrote to memory of 3472	1468	rundll32.exe	86
PID 1468 wrote to memory of 3472	1468	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3496f0b95ab1e34ba50e9fd378fdf536692bd9c75d10f95e04e6deb60684e47f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3496f0b95ab1e34ba50e9fd378fdf536692bd9c75d10f95e04e6deb60684e47f.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:3472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 272
      4⤵
      Program crash
      PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3472 -ip 3472
1⤵
PID:1680

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
1be1f21cd2a60ced5a3acd404a1f2ea6

SHA1
fff6a565164de7098aa12ee4d45dc90b15e465a8

SHA256
f35ddd14ca635ae01b84248809b5e73ba03bde56ee1b0a1595109d3e6d87f8d1

SHA512
8f78a9b1a6f29e15bc729be9157bfc6f745989e27d65cd13d1ef2238b3bf58069dfbd4ba17a0cec0395ed87f98ba99bfc80f5410aa8611c2fc2861c001930ff7

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
90KB

MD5
1be1f21cd2a60ced5a3acd404a1f2ea6

SHA1
fff6a565164de7098aa12ee4d45dc90b15e465a8

SHA256
f35ddd14ca635ae01b84248809b5e73ba03bde56ee1b0a1595109d3e6d87f8d1

SHA512
8f78a9b1a6f29e15bc729be9157bfc6f745989e27d65cd13d1ef2238b3bf58069dfbd4ba17a0cec0395ed87f98ba99bfc80f5410aa8611c2fc2861c001930ff7

Download Submit
memory/1468-133-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3472-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download