b213e28624b932210ca2a0f454edb0bd91db36832dfce3864b69982b88aa4fe1

Analysis

max time kernel
13s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:32

Target

b213e28624b932210ca2a0f454edb0bd91db36832dfce3864b69982b88aa4fe1.dll
Size

16KB
MD5

d1838edb1139cdeec58e20ba8be83ff0
SHA1

bd05770666205ee9a112b5eee5e98cad32d13cd2
SHA256

b213e28624b932210ca2a0f454edb0bd91db36832dfce3864b69982b88aa4fe1
SHA512

84775715331ad346a9fbb10d426d1ff4fd7bc73752f851d6076fe3eeb5029287edb55fe4c2df486690d3561ebe57d379360001f1a03817facf1b852e9d9449f7
SSDEEP

384:S9a7L+KQ6B1WiXZopmPgzXmRYElh1LB9RTlnXLRbzl7S:SYW6rGpUIJmLNlXFb5S

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1704-56-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	1704	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1912 wrote to memory of 1704	1912	rundll32.exe	27
PID 1704 wrote to memory of 1892	1704	rundll32.exe	28
PID 1704 wrote to memory of 1892	1704	rundll32.exe	28
PID 1704 wrote to memory of 1892	1704	rundll32.exe	28
PID 1704 wrote to memory of 1892	1704	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b213e28624b932210ca2a0f454edb0bd91db36832dfce3864b69982b88aa4fe1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b213e28624b932210ca2a0f454edb0bd91db36832dfce3864b69982b88aa4fe1.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 228
    3⤵
    - Program crash
    PID:1892

memory/1704-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1704-56-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download