cab30f5a1a46050c811b2a4759ebb174dd4d79fbb2a22e5a0d8fa07f41d22d67

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 14:50

Target

8f6d5cd5ccf202ad525a2e42328a1b5e.dll
Size

682KB
MD5

8f6d5cd5ccf202ad525a2e42328a1b5e
SHA1

20a8587e1e43f388146972f9b6823620f17890ed
SHA256

cab30f5a1a46050c811b2a4759ebb174dd4d79fbb2a22e5a0d8fa07f41d22d67
SHA512

3bee23fde8c612bc9fa92dc146a7011ecea32bca82698cd31408457fc60e5c212e23e4abaac03117afd245a8a77a0ea0b99fd7bffde17b8db7a454f5b64d78fd
SSDEEP

12288:zjOq/65IVHWxRnHnW5AunStLqA807NBqGB5nbkMhSaX5D5yRGvxsxaDea4iPf:zK06esvnW5AunSgAVV/nbkMhDzvxsU4i

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1208	2356	WerFault.exe	28

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2356	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2356	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2080 wrote to memory of 2356	2080	rundll32.exe	28
PID 2356 wrote to memory of 1208	2356	rundll32.exe	29
PID 2356 wrote to memory of 1208	2356	rundll32.exe	29
PID 2356 wrote to memory of 1208	2356	rundll32.exe	29
PID 2356 wrote to memory of 1208	2356	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f6d5cd5ccf202ad525a2e42328a1b5e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f6d5cd5ccf202ad525a2e42328a1b5e.dll,#1
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 244
    3⤵
    - Program crash
    PID:1208

memory/2356-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000013140000-0x00000000131F1000-memory.dmp

Filesize
708KB

Download
memory/2356-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download