3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 02:25

Target

3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961.dll
Size

252KB
MD5

af6a70fb5d24feb8c64b057af6ea7330
SHA1

2883fc3538bf3444b2e80892f92b2957e193b49b
SHA256

3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961
SHA512

d2835590b9e5d7d0ba7c9b3a0de988631e6213222973b7da594c6ec9cfe27f8c7cb1f3d3e99006688122ce635873d3152f71c71b1ca0a6b0531114750239b941
SSDEEP

3072:+2UxPvVKNiNz1a2JRC+Tq/Kbo/ykbE+tsxGWpsdYSyaYQrVSyW8/AaTCtaXHpXp:lGvQ4Nx9RHTVbedbEknSh0xn/AaTWaXH

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4960	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022f4c-134.dat	upx
behavioral2/files/0x0006000000022f4c-135.dat	upx
behavioral2/memory/4960-137-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	4960	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4940	4204	rundll32.exe	81
PID 4204 wrote to memory of 4940	4204	rundll32.exe	81
PID 4204 wrote to memory of 4940	4204	rundll32.exe	81
PID 4940 wrote to memory of 4960	4940	rundll32.exe	82
PID 4940 wrote to memory of 4960	4940	rundll32.exe	82
PID 4940 wrote to memory of 4960	4940	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 272
      4⤵
      Program crash
      PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4960 -ip 4960
1⤵
PID:3564

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
memory/4940-136-0x000000006D280000-0x000000006D2BF000-memory.dmp

Filesize
252KB

Download
memory/4960-137-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download