152e9b1adde12821f2460e9599d5f42ce08a80e74e032b66fbb40862a0ac3822

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 07:00

Target

$PLUGINSDIR/NScurl.dll
Size

3.6MB
MD5

63216695ae786d558abeac2066d6b35d
SHA1

5db94beb81e73f9fb5ca50467f857385028f9a89
SHA256

b1e7fad63ec88c200fa80b7b3ba6066d820cd3a0960c7e0d93b9c562afca6fa2
SHA512

9f72fb59b17409570abdebf201c532d125f293a4160f9ab39f76fa66888077a0a9dbf51b1445a67e6186602d1f916401d700087b7bd486bef49c6c0a7d107c9f
SSDEEP

49152:RoidPHYhsX7OSWbiZsgYsAwJt1XViLLNGWVZk9ArLxj/FRj5NCxWX:RhRHYhsLkbPgrAwJt1XALLPVZPLxp9

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3688	3652	WerFault.exe	81

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3652	1192	rundll32.exe	81
PID 1192 wrote to memory of 3652	1192	rundll32.exe	81
PID 1192 wrote to memory of 3652	1192	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NScurl.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NScurl.dll,#1
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 640
    3⤵
    - Program crash
    PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3652 -ip 3652
1⤵
PID:3988

memory/3652-0-0x0000000074CA0000-0x000000007503F000-memory.dmp

Filesize
3.6MB

Download