Analysis Overview
SHA256
dde200baa4efabc5a9d3b6444f9642e5bcde60cc6522f8eb90e38a40935e4291
Threat Level: Known bad
The file mem.dll was found to be: Known bad.
Malicious Activity Summary
Darkvnc family
DarkVNC Payload
Suspicious use of SetThreadContext
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-04-27 08:48
Signatures
DarkVNC Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Darkvnc family
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-27 08:48
Reported
2022-04-27 08:50
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1864 set thread context of 2344 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4948 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4948 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4948 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1864 wrote to memory of 2344 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1864 wrote to memory of 2344 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1864 wrote to memory of 2344 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1864 wrote to memory of 2344 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1864 wrote to memory of 2344 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mem.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mem.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.26:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 4.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 4.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 178.79.208.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 2.22.147.66:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.253.141.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | tcp |
Files
memory/1864-130-0x0000000000000000-mapping.dmp
memory/2344-131-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-27 08:48
Reported
2022-04-27 08:50
Platform
win7-20220414-en
Max time kernel
43s
Max time network
45s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1356 set thread context of 1764 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\WerFault.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mem.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mem.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
Network
Files
memory/1356-54-0x0000000000000000-mapping.dmp
memory/1356-55-0x0000000075361000-0x0000000075363000-memory.dmp
memory/1764-56-0x0000000000000000-mapping.dmp