65f995096075e85939b42fec41a59fac6c7bbdc586deed10a696fa313a85be8c

Analysis

Target

RedDelta_PlugX.bin.dll
Size

135KB
MD5

9f794a5c213e76bc458882f392a931d0
SHA1

74e7e0219107c72239856b099b3e68ec06eb1de5
SHA256

65f995096075e85939b42fec41a59fac6c7bbdc586deed10a696fa313a85be8c
SHA512

1b10adfc19bbc8d72b8602d77e564d63381cb46b26530240e5adc10fa8dd6d55ec04c35efa8649cc969f38312458de84d6d7ebdf4eaf8150c8b7641d3684d8e8

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1172 1648 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1172 WerFault.exe

pid	pid_target	process	target process
1172	1648	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1172	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1648	1756	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe
PID 1648 wrote to memory of 1172	1648	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RedDelta_PlugX.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\RedDelta_PlugX.bin.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 224
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172

memory/1172-1-0x0000000000000000-mapping.dmp

Download
memory/1172-2-0x0000000001ED0000-0x0000000001EE1000-memory.dmp

Filesize
68KB

Download
memory/1172-4-0x0000000002540000-0x0000000002551000-memory.dmp

Filesize
68KB

Download
memory/1648-0-0x0000000000000000-mapping.dmp

Download
memory/1648-3-0x0000000000000000-mapping.dmp

Download