3dd2c22842da9e5f9a4954f0dd9c69ad74350cd8922fde97fb8dfc79f8fe36fc

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:08

Target

$PLUGINSDIR/md5dll.dll
Size

6KB
MD5

7059f133ea2316b9e7e39094a52a8c34
SHA1

ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256

32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512

9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51
SSDEEP

96:5mArJv6F3TqDmgK4ghEin1US36eHQZDUDgGogZcko5Nt4AMP:5XJ63LhR6inZ6dsgZkKQT

Score

7^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral11/memory/2064-0-0x0000000010000000-0x000000001000A000-memory.dmp	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral11/memory/2064-0-0x0000000010000000-0x000000001000A000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2864 2064 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2864	2064	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2064	2028	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 2864	2064	rundll32.exe	WerFault.exe
PID 2064 wrote to memory of 2864	2064	rundll32.exe	WerFault.exe
PID 2064 wrote to memory of 2864	2064	rundll32.exe	WerFault.exe
PID 2064 wrote to memory of 2864	2064	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 224
    3⤵
    - Program crash
    PID:2864

memory/2064-0-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download