e2322792ab5eea5d15fa8fd93d678011b5e2f86f900bc1984426fae65fd0312d

Analysis

max time kernel
234s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:52

Target

e2322792ab5eea5d15fa8fd93d678011b5e2f86f900bc1984426fae65fd0312d.dll
Size

125KB
MD5

d6afcc38961ab7026659e35e2d0380c9
SHA1

70b0bd636e8c6e765c2934324fcf80e2185f70fd
SHA256

e2322792ab5eea5d15fa8fd93d678011b5e2f86f900bc1984426fae65fd0312d
SHA512

71752f117338ea56f7c3bf0aa1a909634ea1e0106455cfb6a7e506e2b3d3b0a35bb0ac41109b137465c62677121bcf9eaa5f9895c562719c6e9117f845a6edf1
SSDEEP

3072:+87W1UF4p07RA1a2C/s9LTpIqrzZjLGI3u:+8CE4C7Aa2CiLTpI6G

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

560 692 WerFault.exe rundll32.exe

pid	pid_target	process	target process
560	692	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 692	1660	rundll32.exe	rundll32.exe
PID 692 wrote to memory of 560	692	rundll32.exe	WerFault.exe
PID 692 wrote to memory of 560	692	rundll32.exe	WerFault.exe
PID 692 wrote to memory of 560	692	rundll32.exe	WerFault.exe
PID 692 wrote to memory of 560	692	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2322792ab5eea5d15fa8fd93d678011b5e2f86f900bc1984426fae65fd0312d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2322792ab5eea5d15fa8fd93d678011b5e2f86f900bc1984426fae65fd0312d.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 260
3⤵
- Program crash
PID:560

memory/560-61-0x0000000000000000-mapping.dmp

Download
memory/692-54-0x0000000000000000-mapping.dmp

Download
memory/692-55-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/692-56-0x0000000000110000-0x0000000000123000-memory.dmp

Filesize
76KB

Download
memory/692-57-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/692-62-0x0000000000110000-0x0000000000123000-memory.dmp

Filesize
76KB

Download