46f18091cf10d22dfb79b372c9c0d44f3547ec2fb9f0f7c772ef08b33ed53a83 | Triage

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
14-01-2022 16:01

Sharing

Report Analysis Logs

General

Target

ScanClientUpdate/KM.IDCard.dll
Size

224KB
MD5

f7fa5d0c24b508e4be1bd11ad15a7971
SHA1

d0efe19b25d1cf63ab131653e60c6fbae5271df5
SHA256

44f79ddc089fbcd5325f7786389b22dd99cdaa0c5d0857248f78a3f9abd542d0
SHA512

70cfbeb64728c14d38661264d5c422e36162a56805f7d20f5b288346e87394724b00b079f6145c2cc75bf2598a2796184092c7f0e6e92af30ec03e94f933414b

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1220	1776	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ScanClientUpdate\KM.IDCard.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ScanClientUpdate\KM.IDCard.dll,#1
2⤵
PID:1220

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-54-0x0000000000000000-mapping.dmp

Download
memory/1220-55-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download