b42b75206b72fe24558f27d9c26f3f6234e904981526bc6e15228c3e37cad58a

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:27

Target

WININET.dll
Size

32.8MB
MD5

c83409c94dad2ad6431cbda008c9ee3c
SHA1

44c36d857685273141d5e69668451851e57afaa3
SHA256

4c9f8692fe005d5d7e2edcc05f0b01c36bf11f0ff580a47c77fd1101cdb92185
SHA512

f30b1099a145a786c95c25863382ac7bc2adeafe77bbe1c31f1d99a4fa7ac677faf950ad7c05d144bf2643869d314ab59ad81096adecae49a0c23bf12f8d1c43
SSDEEP

393216:4akdM4o3a9CcwTWBvFgYdiXUxDmTJqIWlj36Ul2nong9Wbk5ycDS/aKO47T/9r0c:NuCcwTp2P

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1756 2112 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1756	2112	WerFault.exe	rundll32.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\(Padrão) 2 = "rundll32"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\(Padrão) 3 = "C:\\Windows\\SysWOW64\\"	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 2112	2384	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 1932	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 1932	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 1932	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 1932	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 1932	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 1756	2112	rundll32.exe	WerFault.exe
PID 2112 wrote to memory of 1756	2112	rundll32.exe	WerFault.exe
PID 2112 wrote to memory of 1756	2112	rundll32.exe	WerFault.exe
PID 2112 wrote to memory of 1756	2112	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WININET.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\WININET.dll,#1
  2⤵
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 360
    3⤵
    - Program crash
    PID:1756

memory/1932-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1932-4-0x0000000002650000-0x0000000002BA8000-memory.dmp

Filesize
5.3MB

Download
memory/1932-7-0x0000000002650000-0x0000000002BA8000-memory.dmp

Filesize
5.3MB

Download
memory/2112-0-0x0000000002470000-0x00000000029C8000-memory.dmp

Filesize
5.3MB

Download
memory/2112-6-0x0000000002470000-0x00000000029C8000-memory.dmp

Filesize
5.3MB

Download