Analysis
-
max time kernel
97s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
08-04-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll
Resource
win7-20220331-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll
Resource
win10v2004-20220331-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll
-
Size
572KB
-
MD5
6e2ff6488f39f9b17980af38d7179a8b
-
SHA1
6826e93503ea185cadc79cf35963b8b02dd9d863
-
SHA256
03b6f8437c5c2001f1d6ff033d25a73adc37c9ba778e7706b02b181ccab1d5c3
-
SHA512
892c2c3865acebb424396f3292f74cf72cf92f7997cb1840a23bff9e6e9b3a06e86b2437099c5f6f901d419de334f7499f329f6d8ff6c8ad6815a80ff6dd669b
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4940 4068 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3140 wrote to memory of 4888 3140 rundll32.exe rundll32.exe PID 3140 wrote to memory of 4888 3140 rundll32.exe rundll32.exe PID 3140 wrote to memory of 4888 3140 rundll32.exe rundll32.exe PID 4888 wrote to memory of 4592 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 4592 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 4592 4888 rundll32.exe rundll32.exe PID 4592 wrote to memory of 4044 4592 rundll32.exe rundll32.exe PID 4592 wrote to memory of 4044 4592 rundll32.exe rundll32.exe PID 4592 wrote to memory of 4044 4592 rundll32.exe rundll32.exe PID 4044 wrote to memory of 3648 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 3648 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 3648 4044 rundll32.exe rundll32.exe PID 3648 wrote to memory of 4704 3648 rundll32.exe rundll32.exe PID 3648 wrote to memory of 4704 3648 rundll32.exe rundll32.exe PID 3648 wrote to memory of 4704 3648 rundll32.exe rundll32.exe PID 4704 wrote to memory of 4596 4704 rundll32.exe rundll32.exe PID 4704 wrote to memory of 4596 4704 rundll32.exe rundll32.exe PID 4704 wrote to memory of 4596 4704 rundll32.exe rundll32.exe PID 4596 wrote to memory of 4740 4596 rundll32.exe rundll32.exe PID 4596 wrote to memory of 4740 4596 rundll32.exe rundll32.exe PID 4596 wrote to memory of 4740 4596 rundll32.exe rundll32.exe PID 4740 wrote to memory of 3968 4740 rundll32.exe rundll32.exe PID 4740 wrote to memory of 3968 4740 rundll32.exe rundll32.exe PID 4740 wrote to memory of 3968 4740 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1336 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1336 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1336 3968 rundll32.exe rundll32.exe PID 1336 wrote to memory of 2632 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 2632 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 2632 1336 rundll32.exe rundll32.exe PID 2632 wrote to memory of 3576 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 3576 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 3576 2632 rundll32.exe rundll32.exe PID 3576 wrote to memory of 3216 3576 rundll32.exe rundll32.exe PID 3576 wrote to memory of 3216 3576 rundll32.exe rundll32.exe PID 3576 wrote to memory of 3216 3576 rundll32.exe rundll32.exe PID 3216 wrote to memory of 4068 3216 rundll32.exe rundll32.exe PID 3216 wrote to memory of 4068 3216 rundll32.exe rundll32.exe PID 3216 wrote to memory of 4068 3216 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#14⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#15⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#16⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#17⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#18⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#19⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#110⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#111⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#112⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#113⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1340-58-0x0000000000D60000-0x0000000000DEF000-memory.dll,#114⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 56015⤵
- Program crash
PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4068 -ip 40681⤵PID:1432
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1336-132-0x0000000000000000-mapping.dmp
-
memory/2632-133-0x0000000000000000-mapping.dmp
-
memory/3216-135-0x0000000000000000-mapping.dmp
-
memory/3576-134-0x0000000000000000-mapping.dmp
-
memory/3648-127-0x0000000000000000-mapping.dmp
-
memory/3968-131-0x0000000000000000-mapping.dmp
-
memory/4044-126-0x0000000000000000-mapping.dmp
-
memory/4068-136-0x0000000000000000-mapping.dmp
-
memory/4592-125-0x0000000000000000-mapping.dmp
-
memory/4596-129-0x0000000000000000-mapping.dmp
-
memory/4704-128-0x0000000000000000-mapping.dmp
-
memory/4740-130-0x0000000000000000-mapping.dmp
-
memory/4888-124-0x0000000000000000-mapping.dmp