e8374de226c1fa78368f368b26164beb3462a0d51d4e63779f211e5a8880c181

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 19:10

Target

99ea4ced179b975c8afd8e97d8d0caf8.dll
Size

19KB
MD5

99ea4ced179b975c8afd8e97d8d0caf8
SHA1

1256cdcc91875798b050fe70f93701e17212db59
SHA256

e8374de226c1fa78368f368b26164beb3462a0d51d4e63779f211e5a8880c181
SHA512

121094ee1d5a8c4d24c9c7abd35fe325593f4b76804b71aac2b52a3b721aa841d24cb91bcd6d6c57f45787a0484546fd0965e5340cd5ffb18a5bb2c1b37ba6b7
SSDEEP

384:efVl/yUbuXxFuTt3yFg/WGpzkT2WgxiJhwXxzNTtXx:UVlqUqXPWtGgjRGgM/G5

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\netsrvcs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\netsrvcs.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2240	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2332 wrote to memory of 2240	2332	rundll32.exe	28
PID 2240 wrote to memory of 2768	2240	rundll32.exe	29
PID 2240 wrote to memory of 2768	2240	rundll32.exe	29
PID 2240 wrote to memory of 2768	2240	rundll32.exe	29
PID 2240 wrote to memory of 2768	2240	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99ea4ced179b975c8afd8e97d8d0caf8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\99ea4ced179b975c8afd8e97d8d0caf8.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 228
    3⤵
    - Program crash
    PID:2768

memory/2240-0-0x0000000010050000-0x0000000010060000-memory.dmp

Filesize
64KB

Download
memory/2240-2-0x0000000010050000-0x0000000010060000-memory.dmp

Filesize
64KB

Download
memory/2240-3-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download