03b6f8437c5c2001f1d6ff033d25a73adc37c9ba778e7706b02b181ccab1d5c3

General

Target

1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll
Size

572KB
MD5

6e2ff6488f39f9b17980af38d7179a8b
SHA1

6826e93503ea185cadc79cf35963b8b02dd9d863
SHA256

03b6f8437c5c2001f1d6ff033d25a73adc37c9ba778e7706b02b181ccab1d5c3
SHA512

892c2c3865acebb424396f3292f74cf72cf92f7997cb1840a23bff9e6e9b3a06e86b2437099c5f6f901d419de334f7499f329f6d8ff6c8ad6815a80ff6dd669b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1932 1252 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1932	1252	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2188 wrote to memory of 5020	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 5020	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 5020	2188	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 2688	5020	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 2688	5020	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 2688	5020	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2180	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2180	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2180	2688	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3812	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3812	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3812	2180	rundll32.exe	rundll32.exe
PID 3812 wrote to memory of 3608	3812	rundll32.exe	rundll32.exe
PID 3812 wrote to memory of 3608	3812	rundll32.exe	rundll32.exe
PID 3812 wrote to memory of 3608	3812	rundll32.exe	rundll32.exe
PID 3608 wrote to memory of 4540	3608	rundll32.exe	rundll32.exe
PID 3608 wrote to memory of 4540	3608	rundll32.exe	rundll32.exe
PID 3608 wrote to memory of 4540	3608	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 816	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 816	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 816	4540	rundll32.exe	rundll32.exe
PID 816 wrote to memory of 2172	816	rundll32.exe	rundll32.exe
PID 816 wrote to memory of 2172	816	rundll32.exe	rundll32.exe
PID 816 wrote to memory of 2172	816	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 820	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 820	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 820	2172	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 712	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 712	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 712	820	rundll32.exe	rundll32.exe
PID 712 wrote to memory of 960	712	rundll32.exe	rundll32.exe
PID 712 wrote to memory of 960	712	rundll32.exe	rundll32.exe
PID 712 wrote to memory of 960	712	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 4724	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 4724	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 4724	960	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 1252	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 1252	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 1252	4724	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
4⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
5⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
6⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
7⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
8⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
9⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
10⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
11⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
12⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
13⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#1
14⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 568
15⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1252 -ip 1252
1⤵
PID:1480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/712-133-0x0000000000000000-mapping.dmp

Download
memory/816-130-0x0000000000000000-mapping.dmp

Download
memory/820-132-0x0000000000000000-mapping.dmp

Download
memory/960-134-0x0000000000000000-mapping.dmp

Download
memory/1252-136-0x0000000000000000-mapping.dmp

Download
memory/2172-131-0x0000000000000000-mapping.dmp

Download
memory/2180-126-0x0000000000000000-mapping.dmp

Download
memory/2688-125-0x0000000000000000-mapping.dmp

Download
memory/3608-128-0x0000000000000000-mapping.dmp

Download
memory/3812-127-0x0000000000000000-mapping.dmp

Download
memory/4540-129-0x0000000000000000-mapping.dmp

Download
memory/4724-135-0x0000000000000000-mapping.dmp

Download
memory/5020-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing