3abf95ab3254933b78291d3ef8abcbc122cecb5856646d26cae0b22a6c39cb63

Analysis

max time kernel
229s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2022 16:14

Target

YouContractChanges/NewFiles.dll
Size

516KB
MD5

f112efe2727cdfac01d2e65d6f7ce767
SHA1

b4fc9619e6f735e195229ecedc433b9c1149f7df
SHA256

538bcb3ce6055bafa31eb49cab83b35fda74447a90ce840e4b3a848a59ae23e6
SHA512

6e456be3f49cb91b222f052a462dfd84e20ce098cb47eebd0704185052e042b70dd92fc6e864f20e276a9d13d596e2d768627dd2342fbb75a34bf41fc73861c9
SSDEEP

6144:wiIqnct7uycRpLrFPQleGc2BpeQvfTiD3MJIyFX+OwjzK9y9KOc6rXPMATcBu:wihnctArBgRprvbiIIAuz19nTMAgc

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4000 1300 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4000	1300	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1772 wrote to memory of 1300	1772	rundll32.exe	rundll32.exe
PID 1772 wrote to memory of 1300	1772	rundll32.exe	rundll32.exe
PID 1772 wrote to memory of 1300	1772	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\YouContractChanges\NewFiles.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\YouContractChanges\NewFiles.dll,#1
2⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 600
3⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1300 -ip 1300
1⤵
PID:4744