9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2

Analysis

max time kernel
132s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:50

Target

9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2.dll
Size

76KB
MD5

98a18b4fd033647d7d6630094d1d3cbe
SHA1

d9af37abad7842ad1b7efe7be78ff8e9deed78ec
SHA256

9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2
SHA512

ef44758d14e16ba759e1c2cd2419f57a99b7b353bafe1178da6f1fc4722a51d7fdd897108c804e5d5b423a1e899837026191cfe3b2df9255c150b37a1dd96265
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Zv2JIExML57:c8y93KQjy7G55riF1cMo03wG957

Score

9^/10

upx

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral2/memory/2540-0-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/2540-2-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2540-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2540-2-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3884	2540	WerFault.exe	83

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2540	1280	rundll32.exe	83
PID 1280 wrote to memory of 2540	1280	rundll32.exe	83
PID 1280 wrote to memory of 2540	1280	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d13710f0fe334d2f5c93fdff2bcc6174a6da6823468592f1afb5674ba2e73c2.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 672
    3⤵
    - Program crash
    PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2540 -ip 2540
1⤵
PID:976

memory/2540-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2540-2-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download