8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 06:17

Target

8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll
Size

3.5MB
MD5

7454d33db10137d3c64663adcc477e3a
SHA1

6855f2eabdda3f9af0eafc234f2a354eb6150e6d
SHA256

8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960
SHA512

41ce86848bdcfe698f7082fcc58a345939b3a74f034548feb826348108d2c0e0af21aac31752069cd6a73a5e1afad89b688f8fae06b50bb38f3fd5c290623c98
SSDEEP

49152:zLx999999999999999999999999999999999999999999999999999999999999y:H0

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1332	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Svae\DqcpbfwhV.jpg	rundll32.exe
File created	C:\Program Files (x86)\Svae\DqcpbfwhV.jpg	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	1396	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1600 wrote to memory of 1396	1600	rundll32.exe	27
PID 1396 wrote to memory of 1736	1396	rundll32.exe	29
PID 1396 wrote to memory of 1736	1396	rundll32.exe	29
PID 1396 wrote to memory of 1736	1396	rundll32.exe	29
PID 1396 wrote to memory of 1736	1396	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 340
    3⤵
    - Program crash
    PID:1736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
PID:1332

\??\c:\program files (x86)\svae\dqcpbfwhv.jpg

Filesize
14.8MB

MD5
1e8c39a39f50c98e40ae611856a4ef7c

SHA1
53c1e46ced3df35a1bb5dc2cdd3002bc3add9502

SHA256
e7533617448d3a56f77c58c9a4dba92f335469c26f8cd6193d9208f9bea54236

SHA512
a065cc304e1a8e303b9e32c79fbea701fd684ab0f2063a9f6e19c3e6d3ff7da206925d27326be856695c7e0a71300921ec5ca862defae0c025edd3bbb027fb18

Download Submit
\Program Files (x86)\Svae\DqcpbfwhV.jpg

Filesize
14.8MB

MD5
1e8c39a39f50c98e40ae611856a4ef7c

SHA1
53c1e46ced3df35a1bb5dc2cdd3002bc3add9502

SHA256
e7533617448d3a56f77c58c9a4dba92f335469c26f8cd6193d9208f9bea54236

SHA512
a065cc304e1a8e303b9e32c79fbea701fd684ab0f2063a9f6e19c3e6d3ff7da206925d27326be856695c7e0a71300921ec5ca862defae0c025edd3bbb027fb18

Download Submit
memory/1332-60-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1396-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1396-56-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1396-61-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download