89688234e510a8e55d4ae94d98fe49ed1b3cddebcb68da7e2a6c3497bc7e11a8

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 06:58

Target

a283be2131f3125c3eb66f90635a4280N.dll
Size

76KB
MD5

a283be2131f3125c3eb66f90635a4280
SHA1

c1507f5b539a49f89abdbcde031f3de1d4bbb33a
SHA256

89688234e510a8e55d4ae94d98fe49ed1b3cddebcb68da7e2a6c3497bc7e11a8
SHA512

8583840e73879c945d595dfd22bec27da9d0f4a8474ccfc2d344e5a3f60c33a4d21e1fab63629410d31a93bac3ed579ee53b2b6b012a6247f7dec840e2028fd7
SSDEEP

1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Z+9ludq:c8y93KQjy7G55riF1cMo03IB

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2768-1-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2768-0-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2768-2-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2960	2768	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2420 wrote to memory of 2768	2420	rundll32.exe	30
PID 2768 wrote to memory of 2960	2768	rundll32.exe	31
PID 2768 wrote to memory of 2960	2768	rundll32.exe	31
PID 2768 wrote to memory of 2960	2768	rundll32.exe	31
PID 2768 wrote to memory of 2960	2768	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a283be2131f3125c3eb66f90635a4280N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a283be2131f3125c3eb66f90635a4280N.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 304
    3⤵
    - Program crash
    PID:2960

memory/2768-1-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2768-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2768-2-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download