657b2113c545a98733210f01cd3fecff8933a9da09c815ddb75792d22706d67c | Triage

Analysis

max time kernel
83s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:00

Sharing

Report Analysis Logs

General

Target

身份证号码批量升级/krnln.dll
Size

1.1MB
MD5

638e737b2293cf7b1f14c0b4fb1f3289
SHA1

f8e2223348433b992a8c42c4a7a9fb4b5c1158bc
SHA256

baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b
SHA512

4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12
SSDEEP

12288:gRZTEr9vWWBjekIPNSohrqbTkjd67pStJgkyOPNMfvsnIPb1m:vJvWmeP5rqnkwpiJxyOPNMnrb1

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 944	948	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\身份证号码批量升级\krnln.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\身份证号码批量升级\krnln.dll,#1
  2⤵
  PID:944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-54-0x0000000000000000-mapping.dmp

Download
memory/944-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download