cedb23903ff7b26d31fc437c0747f0fc2c57aab62ff14b58f9b47c81b88c9a86

Analysis

max time kernel
299s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 09:25

Target

scoffed.dll
Size

743KB
MD5

861f0031d6adde4ea8fe681fe1d6070a
SHA1

271c79a71423236dfaf109adce20efb0bbcc010a
SHA256

cedb23903ff7b26d31fc437c0747f0fc2c57aab62ff14b58f9b47c81b88c9a86
SHA512

1fc8ec236475d0b75fe9704e5a1b9d456f58b84dd3c272e40a9f09f583aa47393ddbbfa9d7fb6bcd377adaa13d313241ce5a28214b85f58f7774ee7f1bd01a2c
SSDEEP

12288:e+4QHixeljmtjVFJcPp+cygICZoxlSr9N6q6xMZXJMeGbX//7OT:5DXjmtjVD3cygICZwSJN6q6yZXJM5T/c

Score

1^/10

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1364	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1996 wrote to memory of 1364	1996	rundll32.exe	28
PID 1364 wrote to memory of 944	1364	rundll32.exe	29
PID 1364 wrote to memory of 944	1364	rundll32.exe	29
PID 1364 wrote to memory of 944	1364	rundll32.exe	29
PID 1364 wrote to memory of 944	1364	rundll32.exe	29
PID 1364 wrote to memory of 944	1364	rundll32.exe	29
PID 1364 wrote to memory of 944	1364	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\scoffed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\scoffed.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:944

memory/944-65-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/944-66-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1364-55-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1364-56-0x0000000000460000-0x000000000051E000-memory.dmp

Filesize
760KB

Download
memory/1364-57-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1364-59-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1364-58-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1364-60-0x00000000001E0000-0x0000000000209000-memory.dmp

Filesize
164KB

Download
memory/1364-61-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1364-64-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download