0097396ce39428d8b62bd08e5a67bd7db9d36a103a47e87c67270259b212adf3

Analysis

max time kernel
131s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 00:12

Target

0097396ce39428d8b62bd08e5a67bd7db9d36a103a47e87c67270259b212adf3.dll
Size

147KB
MD5

d5749a3d1445cccfc5b94f36677f8a7b
SHA1

4186f22412f3e6388d77d21462d278f01706b45e
SHA256

0097396ce39428d8b62bd08e5a67bd7db9d36a103a47e87c67270259b212adf3
SHA512

73f7cc045ee92b89872ec3723d23b9bbbfa4030b5caa45f31964400ba08b044c5772322485d5ea3903a2c8f7767bb25c545a9e2afe4705cd7364e71846d5fabf
SSDEEP

3072:0j19MAL6Ah/KDk982lQBV+UdE+rECWp7hKkn:0RKXuqBV+UdvrEFp7hKkn

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
2312	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2312-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2312-9-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	2312	WerFault.exe	14

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 3020 wrote to memory of 2312	3020	rundll32.exe	14
PID 2312 wrote to memory of 3040	2312	rundll32.exe	15
PID 2312 wrote to memory of 3040	2312	rundll32.exe	15
PID 2312 wrote to memory of 3040	2312	rundll32.exe	15
PID 2312 wrote to memory of 3040	2312	rundll32.exe	15

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0097396ce39428d8b62bd08e5a67bd7db9d36a103a47e87c67270259b212adf3.dll,#1
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 336
  2⤵
  - Program crash
  PID:3040

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0097396ce39428d8b62bd08e5a67bd7db9d36a103a47e87c67270259b212adf3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3020

memory/2312-6-0x00000000749A0000-0x00000000749B2000-memory.dmp

Filesize
72KB

Download
memory/2312-5-0x00000000749A0000-0x00000000749B2000-memory.dmp

Filesize
72KB

Download
memory/2312-4-0x00000000749A0000-0x00000000749B2000-memory.dmp

Filesize
72KB

Download
memory/2312-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2312-9-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download