1c104c693e32328e6e2fab19ef19b5bbe03a58425d0e43d46dac299b15b52ed2

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 10:20

Target

1c104c693e32328e6e2fab19ef19b5bbe03a58425d0e43d46dac299b15b52ed2.dll
Size

2.5MB
MD5

9dae04fab67d3f7c44ec8eddfb290e93
SHA1

801e1856412a7ec35c5ea74ba5f107871f79dc4e
SHA256

1c104c693e32328e6e2fab19ef19b5bbe03a58425d0e43d46dac299b15b52ed2
SHA512

bba69f74b94e758f22c3bf4e660338c4f5e6200cace63a85b337c323896f387e7c08343bc7691de9833c7e4275261e440b7b8907d03c6806fd44c17a0295ca3b
SSDEEP

49152:O4zeiU5esGlRy0DykruZHphjN1C0mysB1R3aEKLM/WstH9l6FO2pNpCVCY0XUHAC:9PsbeyTLN4ysB1RbKo/zHP6FXNpCVCY7

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2920-0-0x0000000012000000-0x0000000012512000-memory.dmp	upx
behavioral1/memory/2920-1-0x0000000012000000-0x0000000012512000-memory.dmp	upx
behavioral1/memory/2920-3-0x00000000766F0000-0x0000000076800000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\envoy.dll	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2920	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28
PID 1208 wrote to memory of 2920	1208	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c104c693e32328e6e2fab19ef19b5bbe03a58425d0e43d46dac299b15b52ed2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c104c693e32328e6e2fab19ef19b5bbe03a58425d0e43d46dac299b15b52ed2.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2920

memory/2920-0-0x0000000012000000-0x0000000012512000-memory.dmp

Filesize
5.1MB

Download
memory/2920-1-0x0000000012000000-0x0000000012512000-memory.dmp

Filesize
5.1MB

Download
memory/2920-3-0x00000000766F0000-0x0000000076800000-memory.dmp

Filesize
1.1MB

Download