74cfa252e69c230f4d698eb2fd781b3b7c17231b1f4afccfcc23ffa5d3b2f467

Analysis

Target

update.dll
Size

277KB
MD5

902dfdda85be4ce700a786274bc6adc0
SHA1

9d995cf6952809eb2ebd4c4333bafeedd73bb1f0
SHA256

74cfa252e69c230f4d698eb2fd781b3b7c17231b1f4afccfcc23ffa5d3b2f467
SHA512

713976be2f355f35146c4370b6db2f88805d33de418e6376f25c6d5594db576ad07558263638ac5a40b6f6aea397031604c15b23bd13bce9d365e2a12b3a41e3

Score

3^/10

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1324 wrote to memory of 1308	1324	rundll32.exe	24
PID 1308 wrote to memory of 1416	1308	rundll32.exe	25
PID 1308 wrote to memory of 1416	1308	rundll32.exe	25
PID 1308 wrote to memory of 1416	1308	rundll32.exe	25
PID 1308 wrote to memory of 1416	1308	rundll32.exe	25

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	1308	WerFault.exe	24

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 224
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:1416

memory/1416-2-0x0000000001DA0000-0x0000000001DB1000-memory.dmp

Filesize
68KB

Download
memory/1416-4-0x00000000024E0000-0x00000000024F1000-memory.dmp

Filesize
68KB

Download