1c6d6b3ddea8e478a2cb1a71f2aa4ebd849d3d422d12b3d271796c01eb3ab2f8

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:22

Target

0ccf06d959a7ecb84001e82c4a93cc59.dll
Size

13KB
MD5

0ccf06d959a7ecb84001e82c4a93cc59
SHA1

776ee8354c042aaeff50dc48b66132002afb5fdd
SHA256

1c6d6b3ddea8e478a2cb1a71f2aa4ebd849d3d422d12b3d271796c01eb3ab2f8
SHA512

aa69be6024a98d4ed7f7711e02fe3f1e755232d84d9ea9b9e728cef6e5552c645a6f3a5cab17b54e89c3cf00c481da8713eaa5469e95538f4b39b994c69477c0
SSDEEP

384:Roga7P3zobB7vU7uTMxNsmE0a5dj/DaNJawcudoD7U:CgaXQ5UCMxNsmEr5dKnbcuyD7U

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2516-1-0x0000000010000000-0x000000001000A000-memory.dmp	upx
behavioral1/memory/2516-0-0x0000000010000000-0x000000001000A000-memory.dmp	upx
behavioral1/memory/2516-2-0x0000000010000000-0x000000001000A000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process
1836	2516	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2080 wrote to memory of 2516	2080	rundll32.exe	17
PID 2516 wrote to memory of 1836	2516	rundll32.exe	16
PID 2516 wrote to memory of 1836	2516	rundll32.exe	16
PID 2516 wrote to memory of 1836	2516	rundll32.exe	16
PID 2516 wrote to memory of 1836	2516	rundll32.exe	16

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ccf06d959a7ecb84001e82c4a93cc59.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ccf06d959a7ecb84001e82c4a93cc59.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 244
1⤵
- Program crash
PID:1836

memory/2516-1-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2516-0-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2516-2-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download