71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738 | Triage

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220331-en
submitted
06-04-2022 00:19

Sharing

Report Analysis Logs

General

Target

avast_update.dll
Size

1.6MB
MD5

b284363026bd2eef844085d6826d63ed
SHA1

94143d6470da270fc2a623c264ea1b939fa0ad58
SHA256

71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738
SHA512

efcc636c53d7989ecf93e21dc5e8fbfa3017c45ac675c00b2cee68178f255b2a877f15ac8358019301dfbb2c742f515b978df84785d76b2cbdabc38b5cf46e70

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

1 876 rundll32.exe
2 876 rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 876	1940	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\avast_update.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\avast_update.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-54-0x0000000000000000-mapping.dmp

Download
memory/876-55-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download