e392ef7539563daa8f39703e76d3b68e5ed9789f8a5293e636ce2ba6e0f2b700

Analysis

max time kernel
42s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-12-2022 23:07

Target

e392ef7539563daa8f39703e76d3b68e5ed9789f8a5293e636ce2ba6e0f2b700.dll
Size

159KB
MD5

4041a3f523d7033e8efd2b7df4a4083e
SHA1

82353932b9e62cacac953e3e0ad0d688ac14591e
SHA256

e392ef7539563daa8f39703e76d3b68e5ed9789f8a5293e636ce2ba6e0f2b700
SHA512

235083a24a3c36ec85438b2ac68ec20d61fa8d4ea669f9ff41bae31a763c5781d80f4fd46a99021fa277d95d1d6ba2a0532325d427b1a5bb0f604015acba11d6
SSDEEP

3072:YHI9oNNCN8pt6t0okK1FxXcAMJs+z97TBfZiOzrO/yaP:YJnL62lKLxX5MJFz97TBR56/H

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	280	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
280	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 536 wrote to memory of 280	536	rundll32.exe	27
PID 280 wrote to memory of 1996	280	rundll32.exe	28
PID 280 wrote to memory of 1996	280	rundll32.exe	28
PID 280 wrote to memory of 1996	280	rundll32.exe	28
PID 280 wrote to memory of 1996	280	rundll32.exe	28
PID 280 wrote to memory of 2000	280	rundll32.exe	29
PID 280 wrote to memory of 2000	280	rundll32.exe	29
PID 280 wrote to memory of 2000	280	rundll32.exe	29
PID 280 wrote to memory of 2000	280	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e392ef7539563daa8f39703e76d3b68e5ed9789f8a5293e636ce2ba6e0f2b700.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e392ef7539563daa8f39703e76d3b68e5ed9789f8a5293e636ce2ba6e0f2b700.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 360
    3⤵
    - Program crash
    PID:2000

memory/280-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download