aa5b7b6ffd4b55a0dd00296a4112bbbc4e3fbc8ee6b9f11d2f1751b55d5a15bf | Triage

Analysis

max time kernel
91s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 05:29

Sharing

Report Analysis Logs

General

Target

PayInfo/DirectContract.dll
Size

552KB
MD5

f95535c965738fa822f530c990ad087b
SHA1

00deb27fd7ad424e9e39983b6a942f08f6c505ad
SHA256

26845dae622a4c8685c4729ec08325bbe9def29bb4153758ff5d2fff0ee77bb7
SHA512

ba3bbc650aa52d1ab6ddaeba7b133410526891a28016450a7d1ae34b61170a4db9a40ef6c915cb7b49373e95768d684df1021633809850c3e4dfb0315e6a26bc
SSDEEP

12288:H7uM8sVm1kWF/eLJ+QlfW4MwauXWfFyDFfEWmqTqQpa4NLVZC:H+sVmhledMmGdu+ZqHzC

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4920 2652 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1816 wrote to memory of 2652	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 2652	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 2652	1816	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PayInfo\DirectContract.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PayInfo\DirectContract.dll,#1
2⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 604
3⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2652 -ip 2652
1⤵
PID:4968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2652-132-0x0000000000000000-mapping.dmp

Download