7ce8ebe9071e13aba86542cbd59f563b6184454d4befa811a5b9e03c6accefba

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 12:40

Target

7ce8ebe9071e13aba86542cbd59f563b6184454d4befa811a5b9e03c6accefba.dll
Size

397KB
MD5

f6be0b854fed8fa6f5f670ab81c42740
SHA1

169996acde976f52d9ed114d46d48ea446f3aa42
SHA256

7ce8ebe9071e13aba86542cbd59f563b6184454d4befa811a5b9e03c6accefba
SHA512

12de3dc04aa628a213ff3ff0d8dfb32c88988683c81d4294c33781ba85668dbc2cfb45dd79193078b6f00dba3ebe8dcc1804b3f3e1fedf8a76f656a61e80f757
SSDEEP

6144:151sacsiu2LDeIHoMDIbGFtcEOkCybEaQRXr9HNdvOav:174g2LDeiPDImOkx2LIav

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process
1220	2088	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	rundll32.exe
Token: SeTcbPrivilege	2088	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 3068 wrote to memory of 2088	3068	rundll32.exe	17
PID 2088 wrote to memory of 1220	2088	rundll32.exe	16
PID 2088 wrote to memory of 1220	2088	rundll32.exe	16
PID 2088 wrote to memory of 1220	2088	rundll32.exe	16
PID 2088 wrote to memory of 1220	2088	rundll32.exe	16

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ce8ebe9071e13aba86542cbd59f563b6184454d4befa811a5b9e03c6accefba.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ce8ebe9071e13aba86542cbd59f563b6184454d4befa811a5b9e03c6accefba.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 316
1⤵
- Program crash
PID:1220