7dd68b17085fc97acec461a2bb3b1aab680aabeef5443dcf1942a278ac3ca89a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 09:02

Target

13a7f19cdf12ff57f910331c40f1ba40.dll
Size

36KB
MD5

13a7f19cdf12ff57f910331c40f1ba40
SHA1

62de7d2ee0203725c0047ea6f252d5ced7d6c625
SHA256

7dd68b17085fc97acec461a2bb3b1aab680aabeef5443dcf1942a278ac3ca89a
SHA512

46b4bc6eb99e8be55fb09c95bb0fd67dccc4ded944793964a0a1d3173094dfc703844af75a8a1997e2dc71f3c5ef57ba18267789ac7bd94671e2eef692d62f1f
SSDEEP

768:sM6Klo4waCdCWPGJe6yJmXYqp3JKCzBM/mQnpxoO9wkZ:RIXGJUJmzp59zBM/tpxos

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4164	3008	rundll32.exe	88
PID 3008 wrote to memory of 4164	3008	rundll32.exe	88
PID 3008 wrote to memory of 4164	3008	rundll32.exe	88
PID 4164 wrote to memory of 4304	4164	rundll32.exe	97
PID 4164 wrote to memory of 4304	4164	rundll32.exe	97
PID 4164 wrote to memory of 4304	4164	rundll32.exe	97
PID 4304 wrote to memory of 1404	4304	net.exe	96
PID 4304 wrote to memory of 1404	4304	net.exe	96
PID 4304 wrote to memory of 1404	4304	net.exe	96
PID 4164 wrote to memory of 4952	4164	rundll32.exe	95
PID 4164 wrote to memory of 4952	4164	rundll32.exe	95
PID 4164 wrote to memory of 4952	4164	rundll32.exe	95
PID 4952 wrote to memory of 576	4952	net.exe	93
PID 4952 wrote to memory of 576	4952	net.exe	93
PID 4952 wrote to memory of 576	4952	net.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\13a7f19cdf12ff57f910331c40f1ba40.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\13a7f19cdf12ff57f910331c40f1ba40.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OcHealthMon
1⤵
PID:576

memory/4164-1-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4164-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download