a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035

General

Target

SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll
Size

3.3MB
MD5

87d9f26e60c839281621348244e7a50e
SHA1

03cdedd359cf66d388f96c6aa48c9ba75469db72
SHA256

a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035
SHA512

82f9de782234b46938e80cd357f847f4a5bdd8a75f7d412fc10fde3e4d9ef336e6db7f7b05c22859cb4344d3c20de69456916f5c8c1d14906edfbb4a0da682b3

Score

8^/10

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 1220 rundll32.exe
3 1220 rundll32.exe
8 1220 rundll32.exe
9 1220 rundll32.exe
10 1220 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1148 1948 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1148 WerFault.exe
1148 WerFault.exe
1148 WerFault.exe
1148 WerFault.exe
1148 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1148 WerFault.exe

pid	pid_target	process	target process
1148	1948	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1148	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1220	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1148	1948	rundll32.exe	WerFault.exe
PID 1948 wrote to memory of 1148	1948	rundll32.exe	WerFault.exe
PID 1948 wrote to memory of 1148	1948	rundll32.exe	WerFault.exe
PID 1948 wrote to memory of 1148	1948	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll,f0
3⤵
- Blocklisted process makes network request
PID:1220

memory/1148-2-0x0000000000000000-mapping.dmp

Download
memory/1148-3-0x0000000001E60000-0x0000000001E71000-memory.dmp

Filesize
68KB

Download
memory/1148-6-0x0000000002440000-0x0000000002451000-memory.dmp

Filesize
68KB

Download
memory/1220-1-0x0000000000000000-mapping.dmp

Download
memory/1948-0-0x0000000000000000-mapping.dmp

Download
memory/1948-4-0x0000000000000000-mapping.dmp

Download
memory/1948-5-0x0000000000000000-mapping.dmp

Download