51ed3dbec3da0a6d5eafe049c40456034d578ce06016ce502d648f49bb5ba754

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 21:32

Target

51ed3dbec3da0a6d5eafe049c40456034d578ce06016ce502d648f49bb5ba754.dll
Size

76KB
MD5

488a856292f6270181f7662adbd73c03
SHA1

3ab352d1a02c94895f83e5180dae7e6d3c4aaf56
SHA256

51ed3dbec3da0a6d5eafe049c40456034d578ce06016ce502d648f49bb5ba754
SHA512

5d63e59795127c4013e86bf2b2fc1fd380b137c6ac44d96272942b20176d22b0f8de7d810af8e8c28ce566a2e1ecfd4764e6093e7a0725506e826dbb495b9723
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZE04PR:c8y93KQjy7G55riF1cMo03W04PR

Score

9^/10

upx

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral1/memory/2344-1-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2344-0-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2344-2-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2344-1-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2344-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2344-2-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process
2508	2344	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 1440 wrote to memory of 2344	1440	rundll32.exe	28
PID 2344 wrote to memory of 2508	2344	rundll32.exe	29
PID 2344 wrote to memory of 2508	2344	rundll32.exe	29
PID 2344 wrote to memory of 2508	2344	rundll32.exe	29
PID 2344 wrote to memory of 2508	2344	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\51ed3dbec3da0a6d5eafe049c40456034d578ce06016ce502d648f49bb5ba754.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\51ed3dbec3da0a6d5eafe049c40456034d578ce06016ce502d648f49bb5ba754.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 332
    3⤵
    - Program crash
    PID:2508

memory/2344-1-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2344-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2344-2-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download