39d8b743e14ebbc6207fe5323517e490c173a1b52b54df85c4083fe3008d0cf5

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 15:06

Target

bb90d52e26b0e9d7cdfbfbe1c88e4483.dll
Size

480KB
MD5

bb90d52e26b0e9d7cdfbfbe1c88e4483
SHA1

ed46259f466d07a04198c7ae53c3e5a6c4453acf
SHA256

39d8b743e14ebbc6207fe5323517e490c173a1b52b54df85c4083fe3008d0cf5
SHA512

0a8fe7df614bd739fa429b7d9314e920b162466260f94d4fd429ab6e836dc60d8a2258dda39c12a146cbece8a464a99d9782c7d7734942420216067a3478b6e1
SSDEEP

12288:GXo450qjYthuCNIm/kqF6a2FjyHIDixqVIKEgxkecm4k:P/ku6FjyHesqVI/gy1m4k

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
3660	rundll32mgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0008000000023261-3.dat	upx
behavioral2/memory/3660-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4004	2860	WerFault.exe	92
3676	3660	WerFault.exe	94

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2860	1712	rundll32.exe	92
PID 1712 wrote to memory of 2860	1712	rundll32.exe	92
PID 1712 wrote to memory of 2860	1712	rundll32.exe	92
PID 2860 wrote to memory of 3660	2860	rundll32.exe	94
PID 2860 wrote to memory of 3660	2860	rundll32.exe	94
PID 2860 wrote to memory of 3660	2860	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb90d52e26b0e9d7cdfbfbe1c88e4483.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb90d52e26b0e9d7cdfbfbe1c88e4483.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:3660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 260
      4⤵
      Program crash
      PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 696
    3⤵
    - Program crash
    PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2860 -ip 2860
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3660 -ip 3660
1⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4140

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
104KB

MD5
c758e8207cc5315a53302a7709b6f049

SHA1
64b7b5417d23f4404b75de4bc82e682294d7319f

SHA256
f73c54d6623c95f858cf13189d367c9a6f1b652a831f4a79435e2f689cd3cbec

SHA512
65954d5ff43ad8447391f8ea1520f55eba789f0224cc588b58556f58f5d0641181afeec003e970ee20ac0cf8039aebf009ee9d7b839f2cd87ab920d69399d6eb

Download Submit
memory/2860-0-0x0000000010000000-0x00000000126B0000-memory.dmp

Filesize
38.7MB

Download
memory/2860-7-0x0000000010000000-0x00000000126B0000-memory.dmp

Filesize
38.7MB

Download
memory/3660-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3660-6-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download