5ad5d828d3e632a7ad45e6a051cda25b266d1ee544738938b79689ef004fe5b0 | Triage

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
19-07-2022 10:08

Sharing

Report Analysis Logs

General

Target

version.dll
Size

291KB
MD5

eb2271f89cc76e2ec47cb8cc8b05b7a3
SHA1

e13c265698e98829020e7514f67523d698a28afb
SHA256

5ad5d828d3e632a7ad45e6a051cda25b266d1ee544738938b79689ef004fe5b0
SHA512

1dc2c1088d7dfc0f0de3e6afc64744f757a5bfd451f032323460a41c61d1475c467eb50b743f3eb5b18a400f6b8c1fbe0a593ea2b46a4c9d1a580282e640ba15

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2008	960	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	cmd.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	cmd.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	cmd.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1984	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1984	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1984	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1984	1996	cmd.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\version.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\version.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd.exe
4⤵
PID:1984

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-57-0x0000000000000000-mapping.dmp

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download