8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 06:17

Target

8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll
Size

3.5MB
MD5

7454d33db10137d3c64663adcc477e3a
SHA1

6855f2eabdda3f9af0eafc234f2a354eb6150e6d
SHA256

8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960
SHA512

41ce86848bdcfe698f7082fcc58a345939b3a74f034548feb826348108d2c0e0af21aac31752069cd6a73a5e1afad89b688f8fae06b50bb38f3fd5c290623c98
SSDEEP

49152:zLx999999999999999999999999999999999999999999999999999999999999y:H0

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
4208	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Svae\DqcpbfwhV.jpg	rundll32.exe
File created	C:\Program Files (x86)\Svae\DqcpbfwhV.jpg	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1044	2612	WerFault.exe	80

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2612	4020	rundll32.exe	80
PID 4020 wrote to memory of 2612	4020	rundll32.exe	80
PID 4020 wrote to memory of 2612	4020	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 728
    3⤵
    - Program crash
    PID:1044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2612 -ip 2612
1⤵
PID:4804

C:\Program Files (x86)\Svae\DqcpbfwhV.jpg

Filesize
11.3MB

MD5
a12c6281586d7861f1602fe2cef0a2ac

SHA1
38f5a384744c3b8980f114a5b65bff0a3d87af14

SHA256
b1b7ac3056d43680bd6b97389cca0d5926a61eaca0ef21167ef9e719f944fc29

SHA512
4432442e25e1aa6114b0df46aa3871c5d5728b7660dc99797eca38a61fda4f13ab16d5afe214be70fe95a68a9d236062d688711aedf4b2f7e60515db1be89a50

Download Submit
\??\c:\program files (x86)\svae\dqcpbfwhv.jpg

Filesize
11.3MB

MD5
a12c6281586d7861f1602fe2cef0a2ac

SHA1
38f5a384744c3b8980f114a5b65bff0a3d87af14

SHA256
b1b7ac3056d43680bd6b97389cca0d5926a61eaca0ef21167ef9e719f944fc29

SHA512
4432442e25e1aa6114b0df46aa3871c5d5728b7660dc99797eca38a61fda4f13ab16d5afe214be70fe95a68a9d236062d688711aedf4b2f7e60515db1be89a50

Download Submit
memory/2612-133-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2612-137-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4208-136-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/4208-138-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download