a75f733dbcbeed178bc76b7b54e6db53731f08f54d16cd92f5e64d3a74b403ed

Analysis

max time kernel
180s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 13:31

Target

a75f733dbcbeed178bc76b7b54e6db53731f08f54d16cd92f5e64d3a74b403ed.dll
Size

312KB
MD5

e0562e0263974109b1e39c4c37e15e8b
SHA1

aefe077e5adf8c95fc3a4da6e6931b3fdea217b5
SHA256

a75f733dbcbeed178bc76b7b54e6db53731f08f54d16cd92f5e64d3a74b403ed
SHA512

0f7b55b8648509b31881650adf94021befce4086ab44418bd2fc8e8e982f1208c1b3bc0b6e281a0368f7af163da5ee906e1f380c807926e99ca32e5c0a7a7bca
SSDEEP

6144:I+fD/0QSzItKOgGFYvBRU6kkTIrYbMvDaY:I+fzgItmZ6kTIrYIuY

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1440	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0006000000022e68-134.dat	upx
behavioral2/files/0x0006000000022e68-135.dat	upx
behavioral2/memory/1440-137-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1216	1440	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 5096	3112	rundll32.exe	80
PID 3112 wrote to memory of 5096	3112	rundll32.exe	80
PID 3112 wrote to memory of 5096	3112	rundll32.exe	80
PID 5096 wrote to memory of 1440	5096	rundll32.exe	82
PID 5096 wrote to memory of 1440	5096	rundll32.exe	82
PID 5096 wrote to memory of 1440	5096	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a75f733dbcbeed178bc76b7b54e6db53731f08f54d16cd92f5e64d3a74b403ed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a75f733dbcbeed178bc76b7b54e6db53731f08f54d16cd92f5e64d3a74b403ed.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 264
      4⤵
      Program crash
      PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1440 -ip 1440
1⤵
PID:3564

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
221KB

MD5
6c9abd4551ccfd12b285ec5c740a2bb8

SHA1
4640a138c6f01b6fd927d5f1f49b2d04644db20b

SHA256
4ce5215c13ae8d33da5484e6e6ce6c10bfe7e69853265b1a5f1a3dc70c745206

SHA512
53d9a8edc41595e896794d2a9071f58a6bbe61b8ca0fbc20d46e5813d747ee3118404345151e5f4405100db4b2fccf8e6a095ea593857ec77d4f1d8fd34dbbe0

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
221KB

MD5
6c9abd4551ccfd12b285ec5c740a2bb8

SHA1
4640a138c6f01b6fd927d5f1f49b2d04644db20b

SHA256
4ce5215c13ae8d33da5484e6e6ce6c10bfe7e69853265b1a5f1a3dc70c745206

SHA512
53d9a8edc41595e896794d2a9071f58a6bbe61b8ca0fbc20d46e5813d747ee3118404345151e5f4405100db4b2fccf8e6a095ea593857ec77d4f1d8fd34dbbe0

Download Submit
memory/1440-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5096-136-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/5096-138-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download