37ce7d835f59a54c32c49157918cfcd5c77e7f3923f4a2c7ac9d7fcc97f15ac7

Analysis

Target

3d9524ca28621882a394bfde868ad792.dll
Size

256KB
MD5

0cd5d2783e1d3616131a4652c48cc446
SHA1

5be5371a5ae726651eeecc8e456d14f1f5810a8c
SHA256

37ce7d835f59a54c32c49157918cfcd5c77e7f3923f4a2c7ac9d7fcc97f15ac7
SHA512

7b499113bba8efd46b425279b76946b5ec62a87ade84405ceda238d1251bf52ab344354040644785689c953a21d4add199b3998e121b830a3d03246501ce27cb

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1324 1892 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1324 WerFault.exe
1324 WerFault.exe
1324 WerFault.exe
1324 WerFault.exe
1324 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1324 WerFault.exe

pid	pid_target	process	target process
1324	1892	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1324	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1892 wrote to memory of 1324	1892	rundll32.exe	WerFault.exe
PID 1892 wrote to memory of 1324	1892	rundll32.exe	WerFault.exe
PID 1892 wrote to memory of 1324	1892	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d9524ca28621882a394bfde868ad792.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1892 -s 108
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324

memory/1324-0-0x0000000000000000-mapping.dmp

Download
memory/1324-1-0x0000000001F20000-0x0000000001F31000-memory.dmp

Filesize
68KB

Download
memory/1324-2-0x00000000027B0000-0x00000000027C1000-memory.dmp

Filesize
68KB

Download