9e04a881bc821b139a993e005d41484341542a271d172c924c42a2a086580d1a

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 05:53

Target

40167c3ef4b1afd2b897d89fdf612d1041c7e9e24169e5f32ebc0b00c7860c2b.dll
Size

449KB
MD5

f8e17ef618392dace3fc6b772c18e1e5
SHA1

ec97dbe18f4bd510636e6315095ec1439c3e92f4
SHA256

9e04a881bc821b139a993e005d41484341542a271d172c924c42a2a086580d1a
SHA512

c415c9c68485c707e0d468cbb542a3f6b03396c2e8efe2174fae42cd3586681e214dddd58093126f67dd5dfea66e328bbdfb85d2261ab93c857743fce3320a4c
SSDEEP

6144:/qMmee6ICfPQAX5/6HVtDA6ZZ61S5CkxL3XzsEiadXbg5GtvAgvU:iMSbCfIHkUs1SFxLnzsEi0Xrxu

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1752-0-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1752-1-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1752-2-0x0000000010000000-0x0000000010038000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	1752	WerFault.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 2252 wrote to memory of 1752	2252	rundll32.exe	28
PID 1752 wrote to memory of 1340	1752	rundll32.exe	29
PID 1752 wrote to memory of 1340	1752	rundll32.exe	29
PID 1752 wrote to memory of 1340	1752	rundll32.exe	29
PID 1752 wrote to memory of 1340	1752	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\40167c3ef4b1afd2b897d89fdf612d1041c7e9e24169e5f32ebc0b00c7860c2b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\40167c3ef4b1afd2b897d89fdf612d1041c7e9e24169e5f32ebc0b00c7860c2b.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 252
    3⤵
    - Program crash
    PID:1340

memory/1752-0-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1752-1-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1752-2-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download