353e5dfd6d89a125deb17f8c4ef66e5d207e3674b6386b338d37e0d9ae1369f6

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:10

Target

353e5dfd6d89a125deb17f8c4ef66e5d207e3674b6386b338d37e0d9ae1369f6.dll
Size

76KB
MD5

9db2841718602eb09c01e301387e6bad
SHA1

ffd4105e2b577ad841cd0db7a330bde523679184
SHA256

353e5dfd6d89a125deb17f8c4ef66e5d207e3674b6386b338d37e0d9ae1369f6
SHA512

18f7b35cf7f6a48ae0f5340311eef6c5e11fdb5766a53f29879f32f2258b5f3e7f2d8e4595d33380512d614b96645724290f8689404276f864db281600adba78
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZfiQxy:c8y93KQjy7G55riF1cMo031Xw

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2600-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 2600 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2600 rundll32.exe

pid	pid_target	process	target process
1996	2600	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2600	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2600	1656	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 1996	2600	rundll32.exe	WerFault.exe
PID 2600 wrote to memory of 1996	2600	rundll32.exe	WerFault.exe
PID 2600 wrote to memory of 1996	2600	rundll32.exe	WerFault.exe
PID 2600 wrote to memory of 1996	2600	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\353e5dfd6d89a125deb17f8c4ef66e5d207e3674b6386b338d37e0d9ae1369f6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 336
3⤵
- Program crash
PID:1996

memory/2600-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2600-1-0x0000000000040000-0x000000000004E000-memory.dmp

Filesize
56KB

Download