09238e013da42b83602ad3eabd759f980292e6208d0d67f95051e2b29893f9b6 | Triage

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 05:13

Sharing

Report Analysis Logs

General

Target

SWZ-2.03/【520传奇】守望者加速2.03/GWHookMan.dll
Size

221KB
MD5

2c888c17546bcb8d00f31708e4f2063b
SHA1

16eed93cf69c986d2f7d2086f83df8e69cc07497
SHA256

6b28948d9e4c4a3abf3e638d7f2dd58b2061936ef7667525855d76e5024e7839
SHA512

30e729196d51527b4e4a66ab492cf0eb21677329603421f994c2a13049d812e0785d8687a52507852a7f58646285f35f3d02161bf3e0a600b8ec6ea980ad895e
SSDEEP

3072:6+Uma3UstdxTRAZOP0EhfGIdoASnmEskq5/JbP:lUmSPyU0kezRfsk4

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1100	1816	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SWZ-2.03\【520传奇】守望者加速2.03\GWHookMan.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SWZ-2.03\【520传奇】守望者加速2.03\GWHookMan.dll,#1
2⤵
PID:1100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-54-0x0000000000000000-mapping.dmp

Download
memory/1100-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download