Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
r77-x86.dll
Resource
win7-20220901-en
windows7-x64
2 signatures
300 seconds
Behavioral task
behavioral2
Sample
r77-x86.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
2 signatures
300 seconds
General
-
Target
r77-x86.dll
-
Size
1013KB
-
MD5
93b6d3aec02f007349adf0b6f4364b62
-
SHA1
3d365cb07f09c72f216cd93817352a58d2238780
-
SHA256
e43afd365ec5dd152b793efdb8d2c43368df2a339b9a7f1dbeabffb27e1656c8
-
SHA512
74c9ded9468cba9dc66e6b285a43a5122eb89853a603c5b2a39c689a9e2aaaf7bef70738269e262ce70c15c43acf10afd81f333ed1a0bee4ce6cb5d8a03bc685
-
SSDEEP
12288:aS5/WvHcNW3hP+3iihuu9WvsktOhIXhvANPfnDy/5useu3C5snP+jin:aSFm0WR+ndvhIXhvARfnDw51NPN
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 900 828 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 828 1200 rundll32.exe rundll32.exe PID 828 wrote to memory of 900 828 rundll32.exe WerFault.exe PID 828 wrote to memory of 900 828 rundll32.exe WerFault.exe PID 828 wrote to memory of 900 828 rundll32.exe WerFault.exe PID 828 wrote to memory of 900 828 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\r77-x86.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\r77-x86.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 2323⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-54-0x0000000000000000-mapping.dmp
-
memory/828-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/828-56-0x000000006F960000-0x000000006F970000-memory.dmpFilesize
64KB
-
memory/828-58-0x0000000074F90000-0x00000000750F5000-memory.dmpFilesize
1.4MB
-
memory/828-60-0x0000000074F90000-0x00000000750F5000-memory.dmpFilesize
1.4MB
-
memory/828-59-0x0000000074D30000-0x0000000074E95000-memory.dmpFilesize
1.4MB
-
memory/828-61-0x0000000074F90000-0x00000000750F5000-memory.dmpFilesize
1.4MB
-
memory/900-57-0x0000000000000000-mapping.dmp