cf316c5f407ff659c129b08be312d35756d429d76a29b41fbbc16130dbd66c29

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 06:30

Target

59b9e617809d6da18364ae4557871fa3.dll
Size

37KB
MD5

59b9e617809d6da18364ae4557871fa3
SHA1

6bafc0612b33a91b1b7a673ed866bb777bada90a
SHA256

cf316c5f407ff659c129b08be312d35756d429d76a29b41fbbc16130dbd66c29
SHA512

5631b54c096fbcb5b378545d02590229ace553ec8e111477a96d01deef877d290169dc6defd258a422b81f21252054d8ba4b5ed87b35ad6d5bc47db118098594
SSDEEP

768:af4DeMKAPgXFLEZY4D1VaykZIXZh2EGksChaydOzLA:af4DeMKAPgVWpQIn2EZpOzLA

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3584	4940	rundll32.exe	14
PID 4940 wrote to memory of 3584	4940	rundll32.exe	14
PID 4940 wrote to memory of 3584	4940	rundll32.exe	14
PID 3584 wrote to memory of 1040	3584	rundll32.exe	18
PID 3584 wrote to memory of 1040	3584	rundll32.exe	18
PID 3584 wrote to memory of 1040	3584	rundll32.exe	18
PID 1040 wrote to memory of 5060	1040	net.exe	25
PID 1040 wrote to memory of 5060	1040	net.exe	25
PID 1040 wrote to memory of 5060	1040	net.exe	25
PID 3584 wrote to memory of 2036	3584	rundll32.exe	24
PID 3584 wrote to memory of 2036	3584	rundll32.exe	24
PID 3584 wrote to memory of 2036	3584	rundll32.exe	24
PID 2036 wrote to memory of 1900	2036	net.exe	23
PID 2036 wrote to memory of 1900	2036	net.exe	23
PID 2036 wrote to memory of 1900	2036	net.exe	23

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59b9e617809d6da18364ae4557871fa3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\net.exe
  net stop winss
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop winss
    3⤵
    PID:5060
- C:\Windows\SysWOW64\net.exe
  net stop OcHealthMon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59b9e617809d6da18364ae4557871fa3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OcHealthMon
1⤵
PID:1900

memory/3584-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3584-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3584-1-0x0000000000830000-0x0000000000835000-memory.dmp

Filesize
20KB

Download