1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da

Analysis

max time kernel
184s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 13:41

Target

1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da.dll
Size

712KB
MD5

b0598f603501f4c19c6b5e12bbad0140
SHA1

58abbab28c4290b4acf8c06b211cd0a495a5cad7
SHA256

1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da
SHA512

5ea1551674e23d26899cc2763cf34c071dedc9b804d944b9738c850fa553ea1059fef8432cf3e026c182ea5d0748bf8b0511ec76a3b01fd16362e95cbebf5876
SSDEEP

12288:KehnaNPpSVZmNxRCwnwm3W3OHIIf5Gs/Yklv44iNAzQxBJ:Keh0PpS6NxNnwYeOHXwKYwtiN3l

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4628	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0008000000022e30-136.dat	upx
behavioral2/files/0x0008000000022e30-135.dat	upx
behavioral2/memory/4628-137-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4260	4628	WerFault.exe	80
1860	4504	WerFault.exe	78

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4504	1268	rundll32.exe	78
PID 1268 wrote to memory of 4504	1268	rundll32.exe	78
PID 1268 wrote to memory of 4504	1268	rundll32.exe	78
PID 4504 wrote to memory of 4628	4504	rundll32.exe	80
PID 4504 wrote to memory of 4628	4504	rundll32.exe	80
PID 4504 wrote to memory of 4628	4504	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 260
      4⤵
      Program crash
      PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 608
    3⤵
    - Program crash
    PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4504 -ip 4504
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 4628
1⤵
PID:5060

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
329KB

MD5
b9fafc0d8b37b03f15cb13306f83876c

SHA1
9ff757465fd46ef2d9d56c5e57a202f57cd06217

SHA256
b3016e8e6380563a2359bb84dc97cb81cc4638d9a52b48d49e576a8d777f65d1

SHA512
68a99095a0d24278cfa2f5700c16ee3459813cd31d10f5d8d38cac2c4dedfcdb3b05eb197b061f473965f000d869420fe279c6096a695414fec7de5c40a346eb

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
329KB

MD5
b9fafc0d8b37b03f15cb13306f83876c

SHA1
9ff757465fd46ef2d9d56c5e57a202f57cd06217

SHA256
b3016e8e6380563a2359bb84dc97cb81cc4638d9a52b48d49e576a8d777f65d1

SHA512
68a99095a0d24278cfa2f5700c16ee3459813cd31d10f5d8d38cac2c4dedfcdb3b05eb197b061f473965f000d869420fe279c6096a695414fec7de5c40a346eb

Download Submit
memory/4504-133-0x0000000010000000-0x00000000100B4000-memory.dmp

Filesize
720KB

Download
memory/4504-138-0x0000000010000000-0x00000000100B4000-memory.dmp

Filesize
720KB

Download
memory/4628-137-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download