90763987c58647c67fd0c18ec0417c0d480ce9e6a8ad753c879561dfd39900e2 | Triage

Analysis

max time kernel
96s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 13:39

Sharing

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Cidox.dll
Size

42KB
MD5

e2743432db3d6badcd69fb0118627434
SHA1

6d658eec753d1919a6377fb5737f8fd818173617
SHA256

90763987c58647c67fd0c18ec0417c0d480ce9e6a8ad753c879561dfd39900e2
SHA512

b4c0751d78bfc6d7a8d14de176dae1ee148ddb0485da7d2f413321fa7a573129cabd8e00a9a362edf41eda4d3768edca47cbd7da89e1ed3645498ecc1697a071
SSDEEP

768:4m79USe3fvbI3Dhg0dY2V+xLArpcnXyFMO1o9Iv:OSu3Y9g0dYNtgciFjo2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5020	2536	WerFault.exe	81

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2536	4964	rundll32.exe	81
PID 4964 wrote to memory of 2536	4964	rundll32.exe	81
PID 4964 wrote to memory of 2536	4964	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cidox.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cidox.dll,#1
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 844
    3⤵
    - Program crash
    PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2536 -ip 2536
1⤵
PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-133-0x0000000000DC0000-0x0000000000E96000-memory.dmp

Filesize
856KB

Download
memory/2536-134-0x0000000000DC0000-0x0000000000E96000-memory.dmp

Filesize
856KB

Download