c23164b8226f13f9760d1786eddc89b4f1b332ac383557129ee9581c3c25b350

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 02:38

Target

c23164b8226f13f9760d1786eddc89b4f1b332ac383557129ee9581c3c25b350.dll
Size

203KB
MD5

5546648fa7ecb3b00e3b2ae37bd0f938
SHA1

a3eccd4bb2fe0fd36efe4bda08118544cd8ec38b
SHA256

c23164b8226f13f9760d1786eddc89b4f1b332ac383557129ee9581c3c25b350
SHA512

632cf2667105203386610803c56e67ff754d0dc96069c0283ef99caab6c2dd5b791c5007e16aba20a3f1724c0836808e8040b5823b60ff010bf80ffe25299112
SSDEEP

3072:SJ8IMILmCa3yx6oFEdgVXnFYf7C9Ugfxm3Nep9viMGFZ:RkmCaiEoFEd+FYOtxmdeviMGb

Score

9^/10

upx

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2944-0-0x0000000010000000-0x0000000010033000-memory.dmp	UPX
behavioral1/memory/2944-3-0x0000000010000000-0x0000000010033000-memory.dmp	UPX
behavioral1/memory/2944-5-0x0000000010000000-0x0000000010033000-memory.dmp	UPX
behavioral1/memory/2944-1-0x0000000010000000-0x0000000010033000-memory.dmp	UPX
behavioral1/memory/2944-10-0x0000000010000000-0x0000000010033000-memory.dmp	UPX

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2944-0-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2944-3-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2944-5-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2944-1-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2944-10-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	2944	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2972 wrote to memory of 2944	2972	rundll32.exe	27
PID 2944 wrote to memory of 2636	2944	rundll32.exe	28
PID 2944 wrote to memory of 2636	2944	rundll32.exe	28
PID 2944 wrote to memory of 2636	2944	rundll32.exe	28
PID 2944 wrote to memory of 2636	2944	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c23164b8226f13f9760d1786eddc89b4f1b332ac383557129ee9581c3c25b350.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c23164b8226f13f9760d1786eddc89b4f1b332ac383557129ee9581c3c25b350.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 328
    3⤵
    - Program crash
    PID:2636

memory/2944-0-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2944-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2944-3-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2944-5-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2944-1-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2944-10-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download