d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1

General

Target

Shipping INVOICE-BL Shipment..exe
Size

427KB
MD5

579ba39b6a146080ef6481591440e445
SHA1

06bfc3b47e1ad6a35e10cb4a1edee6c563710107
SHA256

d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
SHA512

bc2c920da35971ea6a6dfa8fc4f49829d6ba1eeae9589207b1f77a6e5f66d66dcb87396aadce266a61652f6fdfbe40503b9183af5f5ce26fa6cc9218df1597b9

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1028 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1708 1028 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1708 WerFault.exe
1708 WerFault.exe
1708 WerFault.exe
1708 WerFault.exe
1708 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1708 WerFault.exe

pid	process
1028	rundll32.exe

pid	pid_target	process	target process
1708	1028	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1708	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Shipping INVOICE-BL Shipment..exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1688 wrote to memory of 1028	1688	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 1028 wrote to memory of 1708	1028	rundll32.exe	WerFault.exe
PID 1028 wrote to memory of 1708	1028	rundll32.exe	WerFault.exe
PID 1028 wrote to memory of 1708	1028	rundll32.exe	WerFault.exe
PID 1028 wrote to memory of 1708	1028	rundll32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe
"C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\Erodium
MD5
980a6b092855d202363b6436e4a854e8

SHA1
aa8e1a7e1ab7832c3112e5c35b7da143ff919ce0

SHA256
f617d029f947ebb5c0b7b159233e699f5653a1f92e81f9fe44c60555884dc93c

SHA512
6dedf42a718dbc5a4ad25c20561c3adc0fc629d1135aa68d02fc264363617c827fe7eaa0dd49e828df93d80852b4e5aa8c932b20d43ff833c02c4b868df30367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prehnite.DLL
MD5
f8aa685a3908110e79f4639aa7daddfa

SHA1
dd4d16172ea4851f757abd34a8cb3c835552e6a3

SHA256
aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a

SHA512
8989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6

Download Submit
\Users\Admin\AppData\Local\Temp\Prehnite.dll
MD5
f8aa685a3908110e79f4639aa7daddfa

SHA1
dd4d16172ea4851f757abd34a8cb3c835552e6a3

SHA256
aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a

SHA512
8989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6

Download Submit
memory/1028-0-0x0000000000000000-mapping.dmp

Download
memory/1028-6-0x0000000000000000-mapping.dmp

Download
memory/1708-4-0x0000000000000000-mapping.dmp

Download
memory/1708-5-0x00000000022F0000-0x0000000002301000-memory.dmp

Filesize
68KB

Download
memory/1708-7-0x0000000002540000-0x0000000002551000-memory.dmp

Filesize
68KB

Download