2a0ff145da991dbd3443cc260e9e8dcb9bcd61ec6868d80b81c77145eddc44a8 | Triage

Analysis

max time kernel
3s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 19:43

Sharing

Report Analysis Logs

General

Target

1.dll
Size

621KB
MD5

7e5f2859a9e472c49c960b2dc6dc7783
SHA1

ad3681bed42f97ecdcc95cecd69eb1c2b78c2b4c
SHA256

2a0ff145da991dbd3443cc260e9e8dcb9bcd61ec6868d80b81c77145eddc44a8
SHA512

2b24b9c9f366a229e7f062e0b6e16609f1387bca7a4f29bbeeaccae1b5e73525cfd8e66337f15c158e8b2ad4c49aded1a2860207eee9d46524be8c221ef56f3a

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2036 set thread context of 1328 2036 rundll32.exe WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2036 rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2036	1808	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1328	2036	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
3⤵
PID:1328

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-2-0x0000000000000000-mapping.dmp

Download
memory/1328-3-0x000007FFFFFD6000-mapping.dmp

Download
memory/2036-0-0x0000000000000000-mapping.dmp

Download
memory/2036-1-0x0000000000440000-0x00000000004B6000-memory.dmp

Filesize
472KB

Download
memory/2036-4-0x0000000001D20000-0x0000000001DCF000-memory.dmp

Filesize
700KB

Download