65f995096075e85939b42fec41a59fac6c7bbdc586deed10a696fa313a85be8c | Triage

Analysis

max time kernel
3s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
29-10-2020 14:15

Sharing

Report Analysis Logs

General

Target

RedDelta_PlugX.bin.dll
Size

135KB
MD5

9f794a5c213e76bc458882f392a931d0
SHA1

74e7e0219107c72239856b099b3e68ec06eb1de5
SHA256

65f995096075e85939b42fec41a59fac6c7bbdc586deed10a696fa313a85be8c
SHA512

1b10adfc19bbc8d72b8602d77e564d63381cb46b26530240e5adc10fa8dd6d55ec04c35efa8649cc969f38312458de84d6d7ebdf4eaf8150c8b7641d3684d8e8

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1172 1648 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1172 WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RedDelta_PlugX.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RedDelta_PlugX.bin.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 224
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-1-0x0000000000000000-mapping.dmp

Download
memory/1172-2-0x0000000001ED0000-0x0000000001EE1000-memory.dmp

Filesize
68KB

Download
memory/1172-4-0x0000000002540000-0x0000000002551000-memory.dmp

Filesize
68KB

Download
memory/1648-0-0x0000000000000000-mapping.dmp

Download
memory/1648-3-0x0000000000000000-mapping.dmp

Download