02900e6eb7511f87d7e8de75f13d63d01f772702f0f4b989b2161a0723e06892

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 01:08

Target

992-94-0x00000000001E0000-0x000000000020A000-memory.dll
Size

168KB
MD5

636eb8f7f01dc41aa3a5068f7650b378
SHA1

43813f29575b5bde2d2b188726f04f96f3215bd3
SHA256

02900e6eb7511f87d7e8de75f13d63d01f772702f0f4b989b2161a0723e06892
SHA512

0ea7675992be959d6c5fea95c529485d93d94dd4a11b23817fa888752f60dd875c01dc9e25674d7f2ddb487d2303423393fda152e4607fa11fc1105a999b64b1
SSDEEP

3072:egcnehhT9XxeQQ7bP9BOAmJce3gLTBfNeSO/yaoICv:h7phnQXP9B7mJR3gLTBFet/g

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1116 1124 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1116	1124	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1124	1492	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1116	1124	rundll32.exe	WerFault.exe
PID 1124 wrote to memory of 1116	1124	rundll32.exe	WerFault.exe
PID 1124 wrote to memory of 1116	1124	rundll32.exe	WerFault.exe
PID 1124 wrote to memory of 1116	1124	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\992-94-0x00000000001E0000-0x000000000020A000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\992-94-0x00000000001E0000-0x000000000020A000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 196
3⤵
- Program crash
PID:1116

memory/1116-56-0x0000000000000000-mapping.dmp

Download
memory/1124-54-0x0000000000000000-mapping.dmp

Download
memory/1124-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download