9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 00:50

Target

9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2.dll
Size

76KB
MD5

98a18b4fd033647d7d6630094d1d3cbe
SHA1

d9af37abad7842ad1b7efe7be78ff8e9deed78ec
SHA256

9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2
SHA512

ef44758d14e16ba759e1c2cd2419f57a99b7b353bafe1178da6f1fc4722a51d7fdd897108c804e5d5b423a1e899837026191cfe3b2df9255c150b37a1dd96265
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Zv2JIExML57:c8y93KQjy7G55riF1cMo03wG957

Score

9^/10

upx

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
behavioral1/memory/2464-0-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2464-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	2464	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 1556 wrote to memory of 2464	1556	rundll32.exe	28
PID 2464 wrote to memory of 2492	2464	rundll32.exe	29
PID 2464 wrote to memory of 2492	2464	rundll32.exe	29
PID 2464 wrote to memory of 2492	2464	rundll32.exe	29
PID 2464 wrote to memory of 2492	2464	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 272
    3⤵
    - Program crash
    PID:2492

memory/2464-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download