e21f28c60ac336baacde62b6074ab47d69f1837d3053c81b9738742b017fa6ab

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 12:00

Target

e21f28c60ac336baacde62b6074ab47d69f1837d3053c81b9738742b017fa6ab.dll
Size

205KB
MD5

ac6a0cb358b99f354414be23b6009748
SHA1

ed7d81405eb3b15c6e19465a25f30dcd41b96c98
SHA256

e21f28c60ac336baacde62b6074ab47d69f1837d3053c81b9738742b017fa6ab
SHA512

90b50bc7839d3000e55ee35b1a4f9f72eb48463919a67ede7eea24b70108b40e29f435825f277f460aeefdc3ddceccb4defb00494bc12e25d43eacc6ef0b2631
SSDEEP

3072:0/QPFX1eqEfuBNSYuiM8CNj8hFsoMX0ghsJRgCD3iFw9jdUCJ5wg:0/MEfuN0t8C5oFsoeRM3o0jH

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1268 848 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1268	848	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 848	1264	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1268	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 1268	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 1268	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 1268	848	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e21f28c60ac336baacde62b6074ab47d69f1837d3053c81b9738742b017fa6ab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e21f28c60ac336baacde62b6074ab47d69f1837d3053c81b9738742b017fa6ab.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 232
    3⤵
    - Program crash
    PID:1268

memory/848-54-0x0000000000000000-mapping.dmp

Download
memory/848-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1268-56-0x0000000000000000-mapping.dmp

Download