40ae5686af1d386286a4087e18640a47e9a1406f724207c1988c8d118b4be384 | Triage

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-07-2022 15:13

Sharing

Report Analysis Logs

General

Target

12ykgyy/xldl.dll
Size

286KB
MD5

40e8d381da7c2badc4b6f0cdb4b5378f
SHA1

3646338c6a20f17bf4383a8d053ce37681df8ead
SHA256

cb0b0c42dae0a1e946f97f6bda522eb5ad943cb632ba3d19f597ecb3e1f5eb94
SHA512

68dc5128d2e90885ca0e69dced80254e87ab765faefaf152b3cf452b37fb730ec146d4930342ced3f227bd7622a93592526d73567155346de14cd76e5180e7b3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4996 1020 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3420 wrote to memory of 1020	3420	rundll32.exe	rundll32.exe
PID 3420 wrote to memory of 1020	3420	rundll32.exe	rundll32.exe
PID 3420 wrote to memory of 1020	3420	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12ykgyy\xldl.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12ykgyy\xldl.dll,#1
2⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 644
3⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1020 -ip 1020
1⤵
PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-130-0x0000000000000000-mapping.dmp

Download