ae860db9a4c545ae42aa50b0913092d791602e8f36ce70fd82d45901cca0554a | Triage

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
12-04-2022 13:35

Sharing

Report Analysis Logs

General

Target

900-57-0x00000000023E0000-0x000000000246F000-memory.dll
Size

572KB
MD5

92a5da9c70fa6a4174ecca6755a30382
SHA1

e512063383fba5d654cd4b2933f5b9f7494f42ba
SHA256

ae860db9a4c545ae42aa50b0913092d791602e8f36ce70fd82d45901cca0554a
SHA512

c37b1cb41c01200ba15497d4edd8c7c6465d11ff5718385a5c431b40ccf8cc340da695faaf8a715bb44a561609672ab9f9e28c01e5b19e34a00153d0a0154d7b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1328 3444 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3980 wrote to memory of 5100	3980	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 5100	3980	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 5100	3980	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 3692	5100	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 3692	5100	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 3692	5100	rundll32.exe	rundll32.exe
PID 3692 wrote to memory of 3444	3692	rundll32.exe	rundll32.exe
PID 3692 wrote to memory of 3444	3692	rundll32.exe	rundll32.exe
PID 3692 wrote to memory of 3444	3692	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900-57-0x00000000023E0000-0x000000000246F000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900-57-0x00000000023E0000-0x000000000246F000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900-57-0x00000000023E0000-0x000000000246F000-memory.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900-57-0x00000000023E0000-0x000000000246F000-memory.dll,#1
4⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 552
5⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3444 -ip 3444
1⤵
PID:3568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3444-126-0x0000000000000000-mapping.dmp

Download
memory/3692-125-0x0000000000000000-mapping.dmp

Download
memory/5100-124-0x0000000000000000-mapping.dmp

Download