3e15a3bf700eb4cea2bd0d49ef100f295520972544a224d51501906d86ef7714

Analysis

max time kernel
95s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2023 15:19

Target

unknown_PID554_hiddenmodule_8F0000_x86.dll
Size

144KB
MD5

1f672b4e8257e3dfd3d7eee04f1efac9
SHA1

9a2cbf2c742307eeea28c81cc1bbd713a882b4f1
SHA256

3e15a3bf700eb4cea2bd0d49ef100f295520972544a224d51501906d86ef7714
SHA512

28d23c8db00efadb63c27c54819ba562b6b802d518970378c89eec4719132c498b4a65d8e33215f0951cbc15ceb8a668e38d8f82aede0f905f5a6dc2776d8993
SSDEEP

3072:G6MvCeiR77JQyCEz62xG3A9JCXF0LTBfvy/1:LR77J1ZzhGw9J6F0LTBny/

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3820 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4404 3820 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3820 rundll32.exe
3820 rundll32.exe

pid	process
3820	rundll32.exe

pid	pid_target	process	target process
4404	3820	WerFault.exe	rundll32.exe

pid	process
3820	rundll32.exe
3820	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3044 wrote to memory of 3820	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 3820	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 3820	3044	rundll32.exe	rundll32.exe
PID 3820 wrote to memory of 4112	3820	rundll32.exe	wermgr.exe
PID 3820 wrote to memory of 4112	3820	rundll32.exe	wermgr.exe
PID 3820 wrote to memory of 4112	3820	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\unknown_PID554_hiddenmodule_8F0000_x86.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\unknown_PID554_hiddenmodule_8F0000_x86.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 804
    3⤵
    - Program crash
    PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3820 -ip 3820
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\DD7B5E7C.dll

Filesize
2.1MB

MD5
f530495445432d6ae00f2b0f08f7c804

SHA1
f66f538b95b1a924c8392fbe7743d193d78eb50c

SHA256
5cc51f26704eef3b59e6d33ea690fa5c62237627269493ead5bad6f71d2de07b

SHA512
2b44ed622e63014a0d2d613d8bbc1548dd193460ce7711414dc4eb62a2aef69d57c9821f834555539b6a49f584cb46c5e82a9867ab0a0733d78e4f1d032d6ce8

Download Submit
memory/3820-132-0x0000000000000000-mapping.dmp

Download