5e5cc4f42c7d5481db280b28d1227568c17ed8cc4208970b7a963a4f30c7cc83

Analysis

max time kernel
12s
max time network
33s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 01:10

Target

5e5cc4f42c7d5481db280b28d1227568c17ed8cc4208970b7a963a4f30c7cc83.dll
Size

12.0MB
MD5

4bc78fc4c71bac76371b60c3c4821476
SHA1

105535d978544d85f8d61d20080905d95e1b35dd
SHA256

5e5cc4f42c7d5481db280b28d1227568c17ed8cc4208970b7a963a4f30c7cc83
SHA512

58eef4b4c37c0c3d032d71540c8537a19e9c3f95566c1e3f210aaab9fd0420871b0fa19c4e0438d573ac79839e7dc4a9c29a3a565072f72a17079a39cdd9c449
SSDEEP

196608:GkznuHSSwHM+AvSaB1HD0fYcSXzgvSJ2RsXx/LVjuMPUwKDbSbp08:s/cAzgvS82LVaKUwAbSbp08

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	1780	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1308	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 2160 wrote to memory of 1780	2160	rundll32.exe	30
PID 1780 wrote to memory of 1308	1780	rundll32.exe	31
PID 1780 wrote to memory of 1308	1780	rundll32.exe	31
PID 1780 wrote to memory of 1308	1780	rundll32.exe	31
PID 1780 wrote to memory of 1308	1780	rundll32.exe	31
PID 1780 wrote to memory of 2564	1780	rundll32.exe	33
PID 1780 wrote to memory of 2564	1780	rundll32.exe	33
PID 1780 wrote to memory of 2564	1780	rundll32.exe	33
PID 1780 wrote to memory of 2564	1780	rundll32.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e5cc4f42c7d5481db280b28d1227568c17ed8cc4208970b7a963a4f30c7cc83.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e5cc4f42c7d5481db280b28d1227568c17ed8cc4208970b7a963a4f30c7cc83.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension "exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 444
    3⤵
    - Program crash
    PID:2564

memory/1308-2-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-3-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-4-0x0000000002370000-0x00000000023B0000-memory.dmp

Filesize
256KB

Download
memory/1308-5-0x0000000002370000-0x00000000023B0000-memory.dmp

Filesize
256KB

Download
memory/1308-6-0x0000000002370000-0x00000000023B0000-memory.dmp

Filesize
256KB

Download
memory/1308-7-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download