72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 08:09

Target

72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391.dll
Size

74KB
MD5

60e8527b26fb0d5458664ec5c674338a
SHA1

034724e0211c1c988f4a48a51d5f2b433e73c455
SHA256

72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391
SHA512

cf0af30b547eb51b394a2096190652f8e82efd67813be1c553c630a5197c516a0f2ffa2a067a5817e7f18490cd781581edcf3376d73baa80f1a30314efc747b6
SSDEEP

1536:+pi13988ZAcYPxykieJBkugszIkRkAkkkp7kkkkZkiJ++9gL45+ZVYHvzf9fhsiC:+pi1398qAcYPxykieJBkugszIkRkAkk/

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2560	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2560	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2392 wrote to memory of 2560	2392	rundll32.exe	28
PID 2560 wrote to memory of 2720	2560	rundll32.exe	29
PID 2560 wrote to memory of 2720	2560	rundll32.exe	29
PID 2560 wrote to memory of 2720	2560	rundll32.exe	29
PID 2560 wrote to memory of 2720	2560	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 248
    3⤵
    - Program crash
    PID:2720

memory/2560-0-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2560-1-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2560-2-0x0000000000310000-0x0000000000348000-memory.dmp

Filesize
224KB

Download
memory/2560-3-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download