655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376

Analysis

Target

655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376.dll
Size

52KB
MD5

9f7a7c1f9c1a46cc97307ca3c657d8cd
SHA1

6bfc7b2816f5d67c1dc9366d810a683ed82105a4
SHA256

655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376
SHA512

ced3e0191ec93aad8beaa56253b3cce131d81a365c03b101c8dc26e4eaff4f576fccb710a40f2012fc8ad3eeb06e1775458a38350d3abff3cdc16ff6e7f34539

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1592	812	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid	Process
1592	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description	pid	Process
Token: SeDebugPrivilege	1592	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 812 wrote to memory of 1592	812	rundll32.exe	27
PID 812 wrote to memory of 1592	812	rundll32.exe	27
PID 812 wrote to memory of 1592	812	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 812 -s 56
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

memory/1592-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download
memory/1592-55-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download