98eb047168642cec69447564860852938b7e760e073df9658a6af679ee8b3057

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:21

Target

98eb047168642cec69447564860852938b7e760e073df9658a6af679ee8b3057.dll
Size

156KB
MD5

4c9174f5bac77d16c68e8aa36be79847
SHA1

0fe9b6fc04aba3aa5dc95c7079ab4a11b5aaaf0b
SHA256

98eb047168642cec69447564860852938b7e760e073df9658a6af679ee8b3057
SHA512

6a4a661bbc3a1f61116e670eb82179960e47135735b5286fafaa8f15e838d2f4aa8bd4a840777784e482ef4b95e7b872c1f9400e0084417c53831ac73032207f
SSDEEP

3072:TMIA6vhzACiyKpkiKThDUKculKDTCO3AJDjjbhhh7KICnCPkFB80QJ0FPcPBoT1L:bzACiyKpkiKH3lKn3C/hCyPkFB99cPBq

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4708	XRL2n8U

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DirectX.log	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1184	5048	WerFault.exe	83
3532	4708	WerFault.exe	85

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 5048	2288	rundll32.exe	83
PID 2288 wrote to memory of 5048	2288	rundll32.exe	83
PID 2288 wrote to memory of 5048	2288	rundll32.exe	83
PID 5048 wrote to memory of 4708	5048	rundll32.exe	85
PID 5048 wrote to memory of 4708	5048	rundll32.exe	85
PID 5048 wrote to memory of 4708	5048	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98eb047168642cec69447564860852938b7e760e073df9658a6af679ee8b3057.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\98eb047168642cec69447564860852938b7e760e073df9658a6af679ee8b3057.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\XRL2n8U
    "XRL2n8U"
    3⤵
    - Executes dropped EXE
    PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 196
      4⤵
      Program crash
      PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 672
    3⤵
    - Program crash
    PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4708 -ip 4708
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5048 -ip 5048
1⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\XRL2n8U

Filesize
93KB

MD5
cf07950e31e8e4f3c448b47774457dab

SHA1
a251b116e58878a6982512dd177d0970e1bfecf3

SHA256
1421313a9d394dacd13142e05944ffbae7228df116ef378e8ded3b4a1f5732ad

SHA512
d4e8ed5a2dccfc2898222b3bbf71414f6424e20b39036241d63dd6ec0dd166217675b1b7ce0a4bb7738bfd246e0f377f843e258b9ff9eb7d0d6ed607331589c1

Download Submit
memory/4708-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download