18f89e2bc82207b6487b8ea370dc3bb8064ddc896ba6924b77a033eeaf6e5a2d

Analysis

max time kernel
123s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:30

Target

18f89e2bc82207b6487b8ea370dc3bb8064ddc896ba6924b77a033eeaf6e5a2d.dll
Size

285KB
MD5

755c09a2bd28d200065323dc7ad2e6b0
SHA1

dc365512854f656bcc6b6a86b6f3671ae38b8a38
SHA256

18f89e2bc82207b6487b8ea370dc3bb8064ddc896ba6924b77a033eeaf6e5a2d
SHA512

3829851c66988d5bd85a0325d4b80496918af6f97d337dbcfb4296e6f5cb089312c8c0ed54013d1c353f9b209eea88dbfc67dfdced4872421133f6614c645e59
SSDEEP

6144:JB9OCh1IOOcPWSMOjLWNuDB+j05tpJUJafY3/G:JB9O7jwWS4Aj6kYO

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1856	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0002000000022ddb-134.dat	upx
behavioral2/files/0x0002000000022ddb-135.dat	upx
behavioral2/memory/1856-137-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
396	1856	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1804	996	rundll32.exe	81
PID 996 wrote to memory of 1804	996	rundll32.exe	81
PID 996 wrote to memory of 1804	996	rundll32.exe	81
PID 1804 wrote to memory of 1856	1804	rundll32.exe	82
PID 1804 wrote to memory of 1856	1804	rundll32.exe	82
PID 1804 wrote to memory of 1856	1804	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18f89e2bc82207b6487b8ea370dc3bb8064ddc896ba6924b77a033eeaf6e5a2d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\18f89e2bc82207b6487b8ea370dc3bb8064ddc896ba6924b77a033eeaf6e5a2d.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 264
      4⤵
      Program crash
      PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1856 -ip 1856
1⤵
PID:2040

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
132KB

MD5
03458f75016342531765a7def629c6fe

SHA1
7e14e6534123ce7e51aafa2ccda4688a4524eeaf

SHA256
860fdd78a1ca6dd68db4d64b918ef1fea1734a0650d4aad8c159eaf1e41ba98f

SHA512
2db0af32ab82875e50d630798ee81b8a6fef9d1fccd6953fb891e6fc07fc048b30e65fd934ad8f6bd1531d7dcb73129043a219e28f82f55497a84b8b5e9ec198

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
132KB

MD5
03458f75016342531765a7def629c6fe

SHA1
7e14e6534123ce7e51aafa2ccda4688a4524eeaf

SHA256
860fdd78a1ca6dd68db4d64b918ef1fea1734a0650d4aad8c159eaf1e41ba98f

SHA512
2db0af32ab82875e50d630798ee81b8a6fef9d1fccd6953fb891e6fc07fc048b30e65fd934ad8f6bd1531d7dcb73129043a219e28f82f55497a84b8b5e9ec198

Download Submit
memory/1804-136-0x0000000075310000-0x000000007535B000-memory.dmp

Filesize
300KB

Download
memory/1856-137-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download