3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c

Analysis

max time kernel
113s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 21:53

Target

3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c.dll
Size

103KB
MD5

59b81f67645b876427e5f25ebc12a2c0
SHA1

c39741521c3303b0ebc3b704734f223c008781cc
SHA256

3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c
SHA512

6f84c91ae7886680c185ee1b117ae5ce1385d156b97a188097e2a8fccc62bb47e2741a8aea420d9208620e983416a36dec64237aaf1c95378b035a076aceee30
SSDEEP

1536:wmD6BS7LL1edo9yHSmxt4B4LCXivshX5tlL:wVBon1eWyHS2uBKvOJ

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3588	hrlD70B.tmp

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5040	3588	WerFault.exe	82
4380	3588	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 5076	5060	rundll32.exe	79
PID 5060 wrote to memory of 5076	5060	rundll32.exe	79
PID 5060 wrote to memory of 5076	5060	rundll32.exe	79
PID 5076 wrote to memory of 3588	5076	rundll32.exe	82
PID 5076 wrote to memory of 3588	5076	rundll32.exe	82
PID 5076 wrote to memory of 3588	5076	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3eeb9eeb9449abfb063703ea53f5b5921ae6f3ce542bb5cf187e8133b79e864c.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\hrlD70B.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlD70B.tmp
    3⤵
    - Executes dropped EXE
    PID:3588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 272
      4⤵
      Program crash
      PID:5040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 276
      4⤵
      Program crash
      PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3588 -ip 3588
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3588 -ip 3588
1⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\hrlD70B.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlD70B.tmp

Filesize
95KB

MD5
83109cdd79db555786a11e0c503a5412

SHA1
3ee0cca5c8e0d993722071cb6a8e3f1c38b60831

SHA256
393f72306c60d0de25c5557968d09e46e78db619d9edfa4d81129101a4fb3368

SHA512
3fee1b9921faaafe3a9fe22defaedd84a40027140470dbf8f3306a0b0080282689060a0e32829bac6a7063cba5d23453609ccacb259ec01b98d4d6a28648fe31

Download Submit
memory/3588-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download