7698b685acfb273d1590fabe8f3495f2056691a5871296a50b1c5ed1339aa577

Analysis

max time kernel
109s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 22:13

Target

c1bc798ea23f3724ec785dcb80ef5157.dll
Size

49KB
MD5

c1bc798ea23f3724ec785dcb80ef5157
SHA1

39a62d515ef9243ebbe258c6c216117fac708b18
SHA256

7698b685acfb273d1590fabe8f3495f2056691a5871296a50b1c5ed1339aa577
SHA512

a87ba8d95525e813b0170cd00687cf617fca23d46aaadc7752556e2501320a8191165fa5dbc77c060264e8606cfccc755a1af93f3772d4835c35ac018c555e42
SSDEEP

768:4vc89QoqCl28iydf60EUsn3Q1lwf2hekL9/w4Xk+lZW+4V:Y/Qpc/Zf6wsEVCX+lQnV

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2428	PCB~1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PCB~1.exe	rundll32.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3012	2428	WerFault.exe	88
3500	2428	WerFault.exe	88
4620	4256	WerFault.exe	84

Kills process with taskkill 1 IoCs

evasion

pid	Process
5088	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4256	4844	rundll32.exe	84
PID 4844 wrote to memory of 4256	4844	rundll32.exe	84
PID 4844 wrote to memory of 4256	4844	rundll32.exe	84
PID 4256 wrote to memory of 2428	4256	rundll32.exe	88
PID 4256 wrote to memory of 2428	4256	rundll32.exe	88
PID 4256 wrote to memory of 2428	4256	rundll32.exe	88
PID 4256 wrote to memory of 2092	4256	rundll32.exe	99
PID 4256 wrote to memory of 2092	4256	rundll32.exe	99
PID 4256 wrote to memory of 2092	4256	rundll32.exe	99
PID 4256 wrote to memory of 768	4256	rundll32.exe	100
PID 4256 wrote to memory of 768	4256	rundll32.exe	100
PID 4256 wrote to memory of 768	4256	rundll32.exe	100
PID 768 wrote to memory of 5088	768	cmd.exe	105
PID 768 wrote to memory of 5088	768	cmd.exe	105
PID 768 wrote to memory of 5088	768	cmd.exe	105

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1bc798ea23f3724ec785dcb80ef5157.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1bc798ea23f3724ec785dcb80ef5157.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\PCB~1.exe
    C:\Windows\system32\PCB~1.exe
    3⤵
    - Executes dropped EXE
    PID:2428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 428
      4⤵
      Program crash
      PID:3012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 448
      4⤵
      Program crash
      PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c erase /f /q C:\Windows\system32\PCB~1.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im cmd.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 616
    3⤵
    - Program crash
    PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2428 -ip 2428
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2428 -ip 2428
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4256 -ip 4256
1⤵
PID:2660

C:\Windows\SysWOW64\PCB~1.exe

Filesize
29KB

MD5
b44e9d14dec09425c1c3b762d21f31a2

SHA1
8118759754b0be281ec8bab3734061db3bc1ab44

SHA256
a9603e8836952ee6b5e1e1b49812c9e4c5911a2502bfc01d5c5d63d36ee7142f

SHA512
e60349a06386f0f7607b39045416efeff8afa078e8cda058b0fb90cc750935c532557a1bb2d4b05b1efec0fe2163f29f6a524f3b0f444b0327d5d1a9b6455e8f

Download Submit
memory/2428-3-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/2428-5-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/2428-7-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/4256-6-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/4256-9-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download