16d01f2db892caaa76723644d64768def9b4dc6520b4b4b5455544d4bc4a6409

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 03:11

Target

47ded890f9937867aa31afe6bda2d66c.dll
Size

528KB
MD5

47ded890f9937867aa31afe6bda2d66c
SHA1

76a14b20830760c4caefafd69a907cefeb0093f9
SHA256

16d01f2db892caaa76723644d64768def9b4dc6520b4b4b5455544d4bc4a6409
SHA512

01c7e9a8051c9e32a836338ed5a8ec42f812541de756983c456fab2d53732cbf579fdd7d6d1245466e6b17610eef960ffeb94dc02651715e9dbace38a64c694a
SSDEEP

12288:gV7LMzw56Wx1Dk/qon6xyYhgPFaUVltwC1UOLMTQi:K1oC3yWgPFzMTQi

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4688	rundll32mgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4688-5-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4688-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process
3964	4688	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 3676	32	rundll32.exe	14
PID 32 wrote to memory of 3676	32	rundll32.exe	14
PID 32 wrote to memory of 3676	32	rundll32.exe	14
PID 3676 wrote to memory of 4688	3676	rundll32.exe	26
PID 3676 wrote to memory of 4688	3676	rundll32.exe	26
PID 3676 wrote to memory of 4688	3676	rundll32.exe	26

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ded890f9937867aa31afe6bda2d66c.dll,#1
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\rundll32mgr.exe
  C:\Windows\SysWOW64\rundll32mgr.exe
  2⤵
  - Executes dropped EXE
  PID:4688

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ded890f9937867aa31afe6bda2d66c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4688 -ip 4688
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 272
1⤵
- Program crash
PID:3964

memory/3676-1-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/4688-6-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4688-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4688-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download