cecb0732c52040f5b3e7c928911856e27729ef6dfba2aaa4330f8729142189e0

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-06-2023 19:26

Target

cecb0732c52040f5b3e7c928911856e27729ef6dfba2aaa4330f8729142189e0.dll
Size

736KB
MD5

2a379ac1a65a9ca1153ec00a88ae5882
SHA1

cef33943cd3be1f1bc795faba7027d9a0fee0ed9
SHA256

cecb0732c52040f5b3e7c928911856e27729ef6dfba2aaa4330f8729142189e0
SHA512

dfcc891560b339a10ac189aeaeacf92e2304728d67eea27411b2ee0ae8e6af1f7a194766238afa8b04537f831baac7354771f141a2c878f9e92e287e143145f3
SSDEEP

12288:1oOQsWr7hnaKhoqzkwk7tbl1EBC3YNHJv2G8A//glm:1oOQsWrta+oWW7tbDEBC+v2U/S

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1684-54-0x00000000001F0000-0x00000000001FB000-memory.dmp	upx
behavioral1/memory/1684-55-0x00000000001F0000-0x00000000001FB000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2012 1684 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2012	1684	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1684	1724	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2012	1684	rundll32.exe	WerFault.exe
PID 1684 wrote to memory of 2012	1684	rundll32.exe	WerFault.exe
PID 1684 wrote to memory of 2012	1684	rundll32.exe	WerFault.exe
PID 1684 wrote to memory of 2012	1684	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cecb0732c52040f5b3e7c928911856e27729ef6dfba2aaa4330f8729142189e0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cecb0732c52040f5b3e7c928911856e27729ef6dfba2aaa4330f8729142189e0.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 272
    3⤵
    - Program crash
    PID:2012

memory/1684-54-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/1684-55-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download