37706b3f5120e682cf454d7cd35db7cdee5373b3796c19397188c424114029de

Analysis

Target

sqlite3.dll
Size

171KB
MD5

744dcc4cbbfbb18fe3878c4e769ec48f
SHA1

c1f2c56ee2d91203a01d3465f185295477a1217d
SHA256

33eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163
SHA512

706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1964	2016	WerFault.exe	18

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1964	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 1056 wrote to memory of 2016	1056	rundll32.exe	18
PID 2016 wrote to memory of 1964	2016	rundll32.exe	27
PID 2016 wrote to memory of 1964	2016	rundll32.exe	27
PID 2016 wrote to memory of 1964	2016	rundll32.exe	27
PID 2016 wrote to memory of 1964	2016	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 228
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1964

memory/1964-63-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2016-61-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download