554a82dc2803928aef17c5ed61cc612ef04ffa4c1abeeba1d62eca907292225c

General

Target

948-57-0x0000000000210000-0x0000000000232000-memory.dll
Size

136KB
MD5

ef008f3247c80a4882bc651230ac4aff
SHA1

e930c2e8d6892c0f8f284965bde1523df711c799
SHA256

554a82dc2803928aef17c5ed61cc612ef04ffa4c1abeeba1d62eca907292225c
SHA512

650150ffd741f7cb5999b0fc0440902dc1e806dd935b6ee28b1cae02c5fa21551a258844e5c19895d327d65c7a4e8b5f8fcf53f56215db7ffda5159dfe090947

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3376 wrote to memory of 5004	3376	rundll32.exe	rundll32.exe
PID 3376 wrote to memory of 5004	3376	rundll32.exe	rundll32.exe
PID 3376 wrote to memory of 5004	3376	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 4308	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 4308	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 4308	5004	rundll32.exe	rundll32.exe
PID 4308 wrote to memory of 3968	4308	rundll32.exe	rundll32.exe
PID 4308 wrote to memory of 3968	4308	rundll32.exe	rundll32.exe
PID 4308 wrote to memory of 3968	4308	rundll32.exe	rundll32.exe
PID 3968 wrote to memory of 4768	3968	rundll32.exe	rundll32.exe
PID 3968 wrote to memory of 4768	3968	rundll32.exe	rundll32.exe
PID 3968 wrote to memory of 4768	3968	rundll32.exe	rundll32.exe
PID 4768 wrote to memory of 1724	4768	rundll32.exe	rundll32.exe
PID 4768 wrote to memory of 1724	4768	rundll32.exe	rundll32.exe
PID 4768 wrote to memory of 1724	4768	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 4080	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 4080	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 4080	1724	rundll32.exe	rundll32.exe
PID 4080 wrote to memory of 5012	4080	rundll32.exe	rundll32.exe
PID 4080 wrote to memory of 5012	4080	rundll32.exe	rundll32.exe
PID 4080 wrote to memory of 5012	4080	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 4748	5012	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 4748	5012	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 4748	5012	rundll32.exe	rundll32.exe
PID 4748 wrote to memory of 4192	4748	rundll32.exe	rundll32.exe
PID 4748 wrote to memory of 4192	4748	rundll32.exe	rundll32.exe
PID 4748 wrote to memory of 4192	4748	rundll32.exe	rundll32.exe
PID 4192 wrote to memory of 1632	4192	rundll32.exe	rundll32.exe
PID 4192 wrote to memory of 1632	4192	rundll32.exe	rundll32.exe
PID 4192 wrote to memory of 1632	4192	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 4848	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 4848	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 4848	1632	rundll32.exe	rundll32.exe
PID 4848 wrote to memory of 1264	4848	rundll32.exe	rundll32.exe
PID 4848 wrote to memory of 1264	4848	rundll32.exe	rundll32.exe
PID 4848 wrote to memory of 1264	4848	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 2300	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 2300	1264	rundll32.exe	rundll32.exe
PID 1264 wrote to memory of 2300	1264	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 3332	2300	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 3332	2300	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 3332	2300	rundll32.exe	rundll32.exe
PID 3332 wrote to memory of 1128	3332	rundll32.exe	rundll32.exe
PID 3332 wrote to memory of 1128	3332	rundll32.exe	rundll32.exe
PID 3332 wrote to memory of 1128	3332	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
4⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
5⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
6⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
7⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
8⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
4⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
5⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
6⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
7⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\948-57-0x0000000000210000-0x0000000000232000-memory.dll,#1
8⤵
PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-144-0x0000000000000000-mapping.dmp

Download
memory/1264-141-0x0000000000000000-mapping.dmp

Download
memory/1632-139-0x0000000000000000-mapping.dmp

Download
memory/1724-134-0x0000000000000000-mapping.dmp

Download
memory/2300-142-0x0000000000000000-mapping.dmp

Download
memory/3332-143-0x0000000000000000-mapping.dmp

Download
memory/3968-132-0x0000000000000000-mapping.dmp

Download
memory/4080-135-0x0000000000000000-mapping.dmp

Download
memory/4192-138-0x0000000000000000-mapping.dmp

Download
memory/4308-131-0x0000000000000000-mapping.dmp

Download
memory/4748-137-0x0000000000000000-mapping.dmp

Download
memory/4768-133-0x0000000000000000-mapping.dmp

Download
memory/4848-140-0x0000000000000000-mapping.dmp

Download
memory/5004-130-0x0000000000000000-mapping.dmp

Download
memory/5012-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing