0994bacabba34499288c55d9568f4e73a2c5bef849fde42fc03052bf63948e57

Analysis

max time kernel
100s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 01:45

Target

fz.dll
Size

808KB
MD5

bf59424bc6cce2bbf12b1ba84b6f2ae2
SHA1

1b4d6200d22a063fc2c6b4043fe568ffd6dc2057
SHA256

6df2763332209ba83ed38800541dda57a5bc605398083c8d3dc9797adc6639b2
SHA512

74974ed00e35793d8af6dce4655aebe93999037e23650264359dbc15b99e98135b30d5ca7dbf3f61e94fc1cac87c038bd3a728a56326520e4d7315bc87971a85
SSDEEP

12288:2mLrKI5p+OO+maTckE6rjR4QYoXXsqFzzG5a65qhWlC:2mPtObMznjRbYw8Z5aWC

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4236	2036	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2036	4980	rundll32.exe	82
PID 4980 wrote to memory of 2036	4980	rundll32.exe	82
PID 4980 wrote to memory of 2036	4980	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fz.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fz.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 716
    3⤵
    - Program crash
    PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2036 -ip 2036
1⤵
PID:1672