146126cfa7bf32a5c31d48b38697ea3c661362c0f5d82a1964af0d19a6247915

Analysis

max time kernel
116s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 07:29

Target

node.dll
Size

8.1MB
MD5

04a4b044c29d2e53d4dc5744d19ca974
SHA1

dd29c0e95933f4c359eb83b495c96dd52362d9d2
SHA256

30b85e314bba93c4fd977b1c986d65e24cea08ac8db34c3d8ef1dbb940490667
SHA512

66c5d56acc1fa319b54a8a7ce682dc2babc29cbb885764033b9ac83ba906189a3ebc9eb3a081f6f04470513b5bbe02043b3a7e8f29e7d7646bd9e123a9187bc8
SSDEEP

98304:n5LHoFAEa4PPzCGnNDTm7TLeZbhMN4tBhdBqOFSI9mvexS6KNGYTudCC2spOLNbI:n5LH0hjJnN2wkkB5FrM6KNDAe+ORa5

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral10/memory/3132-0-0x0000000073410000-0x0000000074CC5000-memory.dmp	upx
behavioral10/memory/3132-1-0x0000000073410000-0x0000000074CC5000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	3132	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3132	2468	rundll32.exe	83
PID 2468 wrote to memory of 3132	2468	rundll32.exe	83
PID 2468 wrote to memory of 3132	2468	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\node.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\node.dll,#1
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 676
    3⤵
    - Program crash
    PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3132 -ip 3132
1⤵
PID:2884

memory/3132-0-0x0000000073410000-0x0000000074CC5000-memory.dmp

Filesize
24.7MB

Download
memory/3132-1-0x0000000073410000-0x0000000074CC5000-memory.dmp

Filesize
24.7MB

Download