a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 04:17

Target

a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
Size

76KB
MD5

3b8da76aaebec6d8aab5dacfd9fff370
SHA1

462c82c2a234ac9269e746f6d0976bd25ced9f00
SHA256

a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651
SHA512

6cafe4478155677b9e2a877a1edb25c839442c4ccbfd9f63286d25fc4070986b361a79f313de538858a3a99bfcaef1a65d64225c275056ed8d7c6362000423ea
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZjL73:c8y93KQjy7G55riF1cMo03h3

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2884-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2884-1-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1708 2884 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2884 rundll32.exe

pid	pid_target	process	target process
1708	2884	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2884	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2884	2868	rundll32.exe	rundll32.exe
PID 2884 wrote to memory of 1708	2884	rundll32.exe	WerFault.exe
PID 2884 wrote to memory of 1708	2884	rundll32.exe	WerFault.exe
PID 2884 wrote to memory of 1708	2884	rundll32.exe	WerFault.exe
PID 2884 wrote to memory of 1708	2884	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 308
3⤵
- Program crash
PID:1708

memory/2884-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2884-1-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download