1230ccc1595198eab2fec5df372d03d1c40415b6414b98130119f841940a7b79

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 10:33

Target

1230ccc1595198eab2fec5df372d03d1c40415b6414b98130119f841940a7b79.dll
Size

397KB
MD5

6cf8ea0289388905dabf337b5ee4ef3c
SHA1

d80c810e06b00ff6ff59a6b92fd08781ceb3edad
SHA256

1230ccc1595198eab2fec5df372d03d1c40415b6414b98130119f841940a7b79
SHA512

c8b5762329d7a28ef8adf030b5f704b47fe739dafb1a619adef263a3ed8bbfcf15d37e9223bf7c740db06c1b10a879f203c18fa0fa3dc580ff7d5a18945901f5
SSDEEP

6144:151sacsiu2LDeIHoMDIbGFtcEOkCybEaQRXr9HNdvOaR:174g2LDeiPDImOkx2LIaR

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	1932	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 8 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	rundll32.exe
Token: SeTcbPrivilege	1932	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1932	4348	rundll32.exe	85
PID 4348 wrote to memory of 1932	4348	rundll32.exe	85
PID 4348 wrote to memory of 1932	4348	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1230ccc1595198eab2fec5df372d03d1c40415b6414b98130119f841940a7b79.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1230ccc1595198eab2fec5df372d03d1c40415b6414b98130119f841940a7b79.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 700
    3⤵
    - Program crash
    PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1932 -ip 1932
1⤵
PID:1772