6f5cef83528681b073a0a237cd568ccfb3a7f1ef169760417ae5e80c5b98d1ad

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 07:19 UTC

Target

6705bcbde330d8be800fe1baa1178fb6.dll
Size

693KB
MD5

6705bcbde330d8be800fe1baa1178fb6
SHA1

55759c87e6075bcd170f41ed7065e8c91c3af8a3
SHA256

6f5cef83528681b073a0a237cd568ccfb3a7f1ef169760417ae5e80c5b98d1ad
SHA512

b994e5f416897a2d1d6b2e7b031f26115e868f66744912d82e9c8c2a3c72eacaacf7b00d1468112d10969194d19643493ca424385fb30c7dbaf871f57cc3369c
SSDEEP

12288:dyzb51779R/W5AmRIQfjiKWp+Qz6hUKi0CFy1lHP54KtvEiNtvC4uP7:If5tj/W5Am9fjilRzDKi0CFy1DvEmcP

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	3068	WerFault.exe	28

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3068	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3068	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 2864 wrote to memory of 3068	2864	rundll32.exe	28
PID 3068 wrote to memory of 1776	3068	rundll32.exe	29
PID 3068 wrote to memory of 1776	3068	rundll32.exe	29
PID 3068 wrote to memory of 1776	3068	rundll32.exe	29
PID 3068 wrote to memory of 1776	3068	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6705bcbde330d8be800fe1baa1178fb6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6705bcbde330d8be800fe1baa1178fb6.dll,#1
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 248
    3⤵
    - Program crash
    PID:1776

memory/3068-0-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000013140000-0x00000000131F4000-memory.dmp

Filesize
720KB

Download
memory/3068-3-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download