de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242

Analysis

max time kernel
4s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 21:54

Target

de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242.dll
Size

73KB
MD5

006f62def479b56aea5a32c4bfd5a8a0
SHA1

3ece33765e1196046e96ed9f39bc894d6138e7c2
SHA256

de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242
SHA512

b70f87271136401fc495f426e8fafa7f758f830acbe7c925017e218ba31b61cb21c59e39f361cda1fc88ed2618287e88c61ef8f0e10a245c2e606587fd3bf8c6
SSDEEP

1536:omgrayLgKh8/HIYNcn0CUjWrPyzVmgaghTuItF9Bmx/v2n6:oNkKh8/HIYNc0bWTyzV9acTztdmxX

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4980	hrl8F25.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	4980	WerFault.exe	36

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 436	3832	rundll32.exe	18
PID 3832 wrote to memory of 436	3832	rundll32.exe	18
PID 3832 wrote to memory of 436	3832	rundll32.exe	18
PID 436 wrote to memory of 4980	436	rundll32.exe	36
PID 436 wrote to memory of 4980	436	rundll32.exe	36
PID 436 wrote to memory of 4980	436	rundll32.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\de31742538940969a5949b1e2343775a4ae3cbb960284c4b140cf90e49d70242.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\hrl8F25.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl8F25.tmp
    3⤵
    - Executes dropped EXE
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1096
      4⤵
      Program crash
      PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4980 -ip 4980
1⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\hrl8F25.tmp

Filesize
34KB

MD5
46b3f66a360f6a08fa026f05d0996185

SHA1
9759ac3cf1498ecc105fba0864d0ad1135ce8074

SHA256
2a962ac77426e364d10998946cef608a98d3c59cccb850bdf0ffde99fb6793fd

SHA512
9d83cd4fa40ada7aff5ef12033cf23bdeca63bffeeb3c03327c7fe4249f0e5c986654f4fa2a54df23e3c5e93d79436796680dff25e754871f0dcbea9c7931dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl8F25.tmp

Filesize
50KB

MD5
d3c9a6cf3ba7ce2619c9fc70ed1464ed

SHA1
e22c356649ad4ab13cb3041ad87bc3bb0c71cc5b

SHA256
1c594f44bca5d52444859b3ba54a09a6f3f5e80c98d1ed8b1c3cf8b8f68f2ce4

SHA512
4895ad84ff74835a21a66df6b12c96b731368d4a3751dbaba6ab236177b071a93ba031447be71bbc87d397fea61a3fe9ec13ce9a68ceced3f20996600a173e53

Download Submit
memory/4980-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4980-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download