98d1a02a1eb441837422e202ff1ae80a67214cd2a9f9c69a3c531976fc7053f6

Analysis

max time kernel
129s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:56

Target

98d1a02a1eb441837422e202ff1ae80a67214cd2a9f9c69a3c531976fc7053f6.dll
Size

76KB
MD5

527aa9bc06168c51cc43ea7327dcc1ec
SHA1

36830281eedd4f108f336b69accabe6224794c88
SHA256

98d1a02a1eb441837422e202ff1ae80a67214cd2a9f9c69a3c531976fc7053f6
SHA512

cd1627ccc481d01af8804e1723ac15f9a1b81f050dc683c250511095ffe327c363d1b7c4c27d47d0fe5c7dc9aa276984fe5d26f85a4741b95e0d8e48797160ad
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Ze4ZSc9JBE:c8y93KQjy7G55riF1cMo03AqSc/q

Score

9^/10

upx

UPX dump on OEP (original entry point) 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/788-0-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/788-2-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/788-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/788-2-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4384 788 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 788 rundll32.exe

pid	pid_target	process	target process
4384	788	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	788	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1940 wrote to memory of 788	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 788	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 788	1940	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d1a02a1eb441837422e202ff1ae80a67214cd2a9f9c69a3c531976fc7053f6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d1a02a1eb441837422e202ff1ae80a67214cd2a9f9c69a3c531976fc7053f6.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 704
3⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 788 -ip 788
1⤵
PID:4020

memory/788-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/788-2-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download