0ff4e71aa98a2ad56e1202a59efcf05c8b5e2c0f98fced5af41cb3410bcf299e

Analysis

max time kernel
167s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:43

Target

0ff4e71aa98a2ad56e1202a59efcf05c8b5e2c0f98fced5af41cb3410bcf299e.dll
Size

164KB
MD5

558b96b1644a5c38e1daa67107d06307
SHA1

e8a1324ce6b55f1e0376466c275ef75abbfb2683
SHA256

0ff4e71aa98a2ad56e1202a59efcf05c8b5e2c0f98fced5af41cb3410bcf299e
SHA512

bc3bf44aeae09e6c197f61e2c89ae3390308230ac2c74e1ba3e71bb0ac382bdd6f9724bfcc8e6b1cc077e0a01ea3783292a9ba8fd5df141641502dc1c82657b2
SSDEEP

3072:dGJ1uCEt8tOF5pU+F+X+AWVcupt3hhY1vpUZyzAmf0CSK7nEo69RLwv69dRmqe2v:QJnobn+m+1qB8A4kgqe21Vzn

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4980 rundll32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1080 2668 WerFault.exe rundll32.exe
2504 4980 WerFault.exe rundll32mgr.exe

pid	process
4980	rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
1080	2668	WerFault.exe	rundll32.exe
2504	4980	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 880 wrote to memory of 2668	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2668	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2668	880	rundll32.exe	rundll32.exe
PID 2668 wrote to memory of 4980	2668	rundll32.exe	rundll32mgr.exe
PID 2668 wrote to memory of 4980	2668	rundll32.exe	rundll32mgr.exe
PID 2668 wrote to memory of 4980	2668	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff4e71aa98a2ad56e1202a59efcf05c8b5e2c0f98fced5af41cb3410bcf299e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 484
4⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 612
3⤵
- Program crash
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2668 -ip 2668
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4980 -ip 4980
1⤵
PID:1136

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
110KB

MD5
f71fbb1f80eb18d999ebf7523c245afd

SHA1
b498b16f05362c69a4de7a9820a6ead7c4af3735

SHA256
fdc2a8b0fd518ad4573b2b51b189ee22d7bcf903458ee7468f9fece27bce0e7f

SHA512
f0e8c10d8784d12b26c2c470a927b35d4f69d7a5662d31b0cc83519da1544a2cae19522ea9534d9437fdc2e1219eac79586ff4858bd223ea908784b12f28c48b

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
110KB

MD5
f71fbb1f80eb18d999ebf7523c245afd

SHA1
b498b16f05362c69a4de7a9820a6ead7c4af3735

SHA256
fdc2a8b0fd518ad4573b2b51b189ee22d7bcf903458ee7468f9fece27bce0e7f

SHA512
f0e8c10d8784d12b26c2c470a927b35d4f69d7a5662d31b0cc83519da1544a2cae19522ea9534d9437fdc2e1219eac79586ff4858bd223ea908784b12f28c48b

Download Submit
memory/2668-0-0x0000000000000000-mapping.dmp

Download
memory/2668-133-0x0000000000CC0000-0x0000000000CE7000-memory.dmp

Filesize
156KB

Download
memory/2668-134-0x0000000000CC1000-0x0000000000CDE000-memory.dmp

Filesize
116KB

Download
memory/2668-135-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2668-140-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/4980-136-0x0000000000000000-mapping.dmp

Download
memory/4980-139-0x0000000000400000-0x0000000000437B80-memory.dmp

Filesize
222KB

Download