3e15a3bf700eb4cea2bd0d49ef100f295520972544a224d51501906d86ef7714

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-02-2023 15:19

Target

unknown_PID554_hiddenmodule_8F0000_x86.dll
Size

144KB
MD5

1f672b4e8257e3dfd3d7eee04f1efac9
SHA1

9a2cbf2c742307eeea28c81cc1bbd713a882b4f1
SHA256

3e15a3bf700eb4cea2bd0d49ef100f295520972544a224d51501906d86ef7714
SHA512

28d23c8db00efadb63c27c54819ba562b6b802d518970378c89eec4719132c498b4a65d8e33215f0951cbc15ceb8a668e38d8f82aede0f905f5a6dc2776d8993
SSDEEP

3072:G6MvCeiR77JQyCEz62xG3A9JCXF0LTBfvy/1:LR77J1ZzhGw9J6F0LTBny/

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
1772	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1940	1772	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid	Process
1772	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1720 wrote to memory of 1772	1720	rundll32.exe	26
PID 1772 wrote to memory of 1648	1772	rundll32.exe	27
PID 1772 wrote to memory of 1648	1772	rundll32.exe	27
PID 1772 wrote to memory of 1648	1772	rundll32.exe	27
PID 1772 wrote to memory of 1648	1772	rundll32.exe	27
PID 1772 wrote to memory of 1940	1772	rundll32.exe	28
PID 1772 wrote to memory of 1940	1772	rundll32.exe	28
PID 1772 wrote to memory of 1940	1772	rundll32.exe	28
PID 1772 wrote to memory of 1940	1772	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\unknown_PID554_hiddenmodule_8F0000_x86.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\unknown_PID554_hiddenmodule_8F0000_x86.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 360
    3⤵
    - Program crash
    PID:1940

\Users\Admin\AppData\Local\Temp\6B3CE807.dll

Filesize
268KB

MD5
53bb811ed12d2c867b354390fabf9612

SHA1
81b29c540c0e2a09385cf7e821639ff64fbffd91

SHA256
a972b482b09e50875c5cdc2cfd6c9b2fa96c9dbf9d23894d0b3061c97145b133

SHA512
5f7b584b9b42b0dc6ebbd3571cac1bc07c16301a994c9891201007c7b8698ef4604b2cc1f7e9a2edb016e50d415a6a9ca390a0df89bab01c889c7d382d2e8d24

Download Submit
memory/1772-54-0x0000000000000000-mapping.dmp

Download
memory/1772-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1940-57-0x0000000000000000-mapping.dmp

Download