3b77c4e658b5e7b2726f849fe81d2e7d75932a524363e323dbdb40659367312a | Triage

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2022, 13:12

Sharing

Report Analysis Logs

General

Target

人肉一件套/QQ查ip/ipdbhlp.dll
Size

68KB
MD5

08a5d46a12b1e33e9782034ee8c1c024
SHA1

5636e3615022b53ff8549dcdddfc6779719e272c
SHA256

3023c21f584c605ea3bfe9d8ad0a545b666ff9c5b30d491835e862cd559f781a
SHA512

c76ec36310c01c264b64b0cb1a7f42e7a8c0e8449dade5583e4a4f4bb42af5460e5aa214666e81cc3b3455e4efe4c68ed28a9d2be224180b8b2e812e0dc0e9d7
SSDEEP

1536:Vb/ltB5Qh3nI9T3Gz7ppoUM46bfnbntlo:Vb/J5i3nI8P44Ovbntlo

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4864	564	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 564	1292	rundll32.exe	83
PID 1292 wrote to memory of 564	1292	rundll32.exe	83
PID 1292 wrote to memory of 564	1292	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\人肉一件套\QQ查ip\ipdbhlp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\人肉一件套\QQ查ip\ipdbhlp.dll,#1
  2⤵
  PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 600
    3⤵
    - Program crash
    PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 564 -ip 564
1⤵
PID:4844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads