4a196ee4aa45bfe3b0b45a9760fd16beaa33e827837f18a00af674c906aab8c5 | Triage

Analysis

max time kernel
42s
max time network
125s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 13:56

Sharing

Report Analysis Logs

General

Target

1.dll
Size

336KB
MD5

fef02e92b737b746f56ab07a1a558741
SHA1

ad6353a4f9cc97915c2a4285466906b4f2886d67
SHA256

4a196ee4aa45bfe3b0b45a9760fd16beaa33e827837f18a00af674c906aab8c5
SHA512

3c88f65aaf07429e510e8880623be7d0ba21ddddbac3832ade07aac28805100c4349f798e3c0ea2fd6e283120ae942581cb10e5832b720b5c2d8416475b64900

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

14 852 rundll32.exe
15 852 rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

852 rundll32.exe
852 rundll32.exe
852 rundll32.exe
852 rundll32.exe
852 rundll32.exe
852 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 576 wrote to memory of 852	576	rundll32.exe	rundll32.exe
PID 576 wrote to memory of 852	576	rundll32.exe	rundll32.exe
PID 576 wrote to memory of 852	576	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-2-0x0000000000000000-mapping.dmp

Download