35456b5776474b10c27979bc2852066c3df9333e7d1a3bacffb3220d6faea384

Analysis

max time kernel
144s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 13:06

Target

35456b5776474b10c27979bc2852066c3df9333e7d1a3bacffb3220d6faea384.dll
Size

397KB
MD5

34ce75ba79b0ab50a435880de0126bb1
SHA1

2e65e69b5508f669552c7ec26f314f175da8083d
SHA256

35456b5776474b10c27979bc2852066c3df9333e7d1a3bacffb3220d6faea384
SHA512

2b24056093333635aec5dd0b11fdf9ffb111ded8b7d4f32ef7b0aae3b5ed1bc9f7f3d29594f556d470235f3d7c752e0a1e25b6c330f75931d521121b62ce4584
SSDEEP

6144:151sacsiu2LDeIHoMDIbGFtcEOkCybEaQRXr9HNdvOae:174g2LDeiPDImOkx2LIae

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1956	1396	WerFault.exe	15

Suspicious behavior: EnumeratesProcesses 8 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	rundll32.exe
Token: SeTcbPrivilege	1396	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1396	2172	rundll32.exe	15
PID 2172 wrote to memory of 1396	2172	rundll32.exe	15
PID 2172 wrote to memory of 1396	2172	rundll32.exe	15

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35456b5776474b10c27979bc2852066c3df9333e7d1a3bacffb3220d6faea384.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\35456b5776474b10c27979bc2852066c3df9333e7d1a3bacffb3220d6faea384.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 556
    3⤵
    - Program crash
    PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1396 -ip 1396
1⤵
PID:3528