f2728813e7147c34eeb0c734753e0360731b9995de11f8921bed0febfda4de29

Analysis

Target

7c5a448ef79801222dceb3a09298423a.dll
Size

208KB
MD5

4bda250be73136628f57a0ed1d8969a1
SHA1

d4c896cab15fde45c962353937b7f35f235a0576
SHA256

f2728813e7147c34eeb0c734753e0360731b9995de11f8921bed0febfda4de29
SHA512

49894fd6ddd49d1ea0ba3f377abf2e5537c0c543b16c45788d18c8c7bd907e7e5c8e7703e6e77ee200f7e5c44b1f1286cc523b72b386d5ca018cbb6b55e6cec8

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1972 1648 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1972 WerFault.exe
1972 WerFault.exe
1972 WerFault.exe
1972 WerFault.exe
1972 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1972 WerFault.exe

pid	pid_target	process	target process
1972	1648	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1972	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 292 wrote to memory of 1648	292	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 1972	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1972	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1972	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1972	1648	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5a448ef79801222dceb3a09298423a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5a448ef79801222dceb3a09298423a.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 244
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972

memory/1648-0-0x0000000000000000-mapping.dmp

Download
memory/1648-3-0x0000000000000000-mapping.dmp

Download
memory/1972-1-0x0000000000000000-mapping.dmp

Download
memory/1972-2-0x0000000002000000-0x0000000002011000-memory.dmp

Filesize
68KB

Download
memory/1972-4-0x00000000026A0000-0x00000000026B1000-memory.dmp

Filesize
68KB

Download