94c37902b1cda00a7bf6d6ea23de1873b058987b3927709e1c7cd0f705c36078

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:27

Target

94c37902b1cda00a7bf6d6ea23de1873b058987b3927709e1c7cd0f705c36078.dll
Size

76KB
MD5

509f505a1012aed75790be68f09b4a4f
SHA1

78d9c76fa50a5472b8083ccbf6766c502661c536
SHA256

94c37902b1cda00a7bf6d6ea23de1873b058987b3927709e1c7cd0f705c36078
SHA512

f43f7679c476f43fb7fde375894b5aec15891d0b31997a4b040076c3edcba7826b7a91de6d00651734ef00d92914f4d6253aa5815f67bba10946ae803e880c1b
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Z5abVu:c8y93KQjy7G55riF1cMo03gM

Score

9^/10

upx

UPX dump on OEP (original entry point) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1240-0-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1240-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2056 1240 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1240 rundll32.exe

pid	pid_target	process	target process
2056	1240	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1240	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1240	1688	rundll32.exe	rundll32.exe
PID 1240 wrote to memory of 2056	1240	rundll32.exe	WerFault.exe
PID 1240 wrote to memory of 2056	1240	rundll32.exe	WerFault.exe
PID 1240 wrote to memory of 2056	1240	rundll32.exe	WerFault.exe
PID 1240 wrote to memory of 2056	1240	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\94c37902b1cda00a7bf6d6ea23de1873b058987b3927709e1c7cd0f705c36078.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 340
3⤵
- Program crash
PID:2056

memory/1240-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download