50e448855e971762fcd6a7c0e46e622dc0a749416afb6e6113c62d6cb4fe4273

Analysis

max time kernel
154s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 22:19

Target

50e448855e971762fcd6a7c0e46e622dc0a749416afb6e6113c62d6cb4fe4273.dll
Size

76KB
MD5

582b69ec7eeb4ad8d77d6ca3ec2a1511
SHA1

4abdca720e5c256161d97c193230958bfc94b68f
SHA256

50e448855e971762fcd6a7c0e46e622dc0a749416afb6e6113c62d6cb4fe4273
SHA512

6d38d61e7214d2371ccec0d7cb0fbf47635a67d1eef088904fba4274cc154a03d6b40cc3b1d4e0dffc54e6ceb07f2e3662490caecb5f590bb1f71de9458c0d29
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZbPj:c8y93KQjy7G55riF1cMo03l

Score

9^/10

upx

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/memory/2884-0-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2884-1-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2884-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2884-1-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2884	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2104 wrote to memory of 2884	2104	rundll32.exe	27
PID 2884 wrote to memory of 2752	2884	rundll32.exe	29
PID 2884 wrote to memory of 2752	2884	rundll32.exe	29
PID 2884 wrote to memory of 2752	2884	rundll32.exe	29
PID 2884 wrote to memory of 2752	2884	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50e448855e971762fcd6a7c0e46e622dc0a749416afb6e6113c62d6cb4fe4273.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\50e448855e971762fcd6a7c0e46e622dc0a749416afb6e6113c62d6cb4fe4273.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 248
    3⤵
    - Program crash
    PID:2752

memory/2884-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2884-1-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download