8e52ba7440f011237baf21e72d9f1959745191ebbf0cd71a4f0132ab8348a7ed

Analysis

max time kernel
10s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 01:57

Target

HearthBuddy/RemoteASM.dll
Size

129KB
MD5

35b6fca05587e4402a14d0e1285f33d4
SHA1

159af4f80a36d72dae79c9308a4c6cd2348f79d8
SHA256

4fc84662f5b88f058d23cc1e8312fbb3b476bd59e7790835cc03bbd34c4d441a
SHA512

1174e90d4cb6c1dde5e92fb3d74ed2571a988fc3b8f6b7677174f5e6eaa26bc65af959d6cf7f53eb2422083241d1d0dad6060dc248e98cf17cfdef6b60a125f3
SSDEEP

1536:vbbrNmi9Wfdaq0j94f4JTF27RHaOKw7nA7pHXSL+zkMO/L4i+8dyl4uA1JnSunlU:YE94f0q1vzYSL+zkMOci+8ylSjSuy

Score

1^/10

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28
PID 1228 wrote to memory of 1352	1228	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HearthBuddy\RemoteASM.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\HearthBuddy\RemoteASM.dll,#1
  2⤵
  PID:1352

memory/1352-54-0x0000000000000000-mapping.dmp

Download
memory/1352-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download