a4fd38b0fb8d33ef0a7ea5a46f26675a641ed5b00bd75be3dd37bf284b48d160

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2022 17:43

Target

PayInfo/YouContractChanges.dll
Size

516KB
MD5

874fb02eba380d78258d115af2ec37eb
SHA1

0bd5b9b3ad2be9aa6e8d2386dd75bedba212c6ea
SHA256

2066c699cbe2bc6e5071cddb88eb27499ea405c41d6043ae47853282bd5190cd
SHA512

ec113b9fefd0de07e880d23e49da6b03fdd2d5b75103a1a28b83af1e792b2eb42e1657931d051b8a34603321e8694c4d4a89dbb372d635397e4b6783055a55b0
SSDEEP

6144:wiIqnct7uycRpLrFPQleGc2BpeQvfTiD3MJIyFX+OwjzK9y9KOc6rXPMATcBu:wihnctArBgRprvbiIIAuz19nTMAgc

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1408 1656 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1408	1656	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4356 wrote to memory of 1656	4356	rundll32.exe	rundll32.exe
PID 4356 wrote to memory of 1656	4356	rundll32.exe	rundll32.exe
PID 4356 wrote to memory of 1656	4356	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PayInfo\YouContractChanges.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PayInfo\YouContractChanges.dll,#1
2⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 600
3⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1656 -ip 1656
1⤵
PID:2412