721ff308a706259c674adbd7c1606f5d5636674dc372ab739f1224e0be06184a | Triage

Analysis

max time kernel
1550s
max time network
1586s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2023 14:00

Sharing

Report Analysis Logs

General

Target

t/setupres.dll
Size

75KB
MD5

f1f9e9bd62292768f433c4f894eadb58
SHA1

835aac8aa29b747cd90d44b9fef5683bf0f1f6d9
SHA256

7863ad82f7e1c036e48e928433932177a14670033028b42f44dafeacb40a86a9
SHA512

e59b908e54d162abc2aa2d814b71d1ff62a4d2105d2f22df8e8371b760111de30ca6e4f77e14ccbc2ec49eba3ff1013d023edb9f72c89bada17eaf4558ca669c
SSDEEP

1536:71z1GbzJ50O6ZTVATfXqKtyoR5Lc+CQYsWjcdx6my+F:7tUvyAXqSdo6

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4800	4892	rundll32.exe	80
PID 4892 wrote to memory of 4800	4892	rundll32.exe	80
PID 4892 wrote to memory of 4800	4892	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\t\setupres.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\t\setupres.dll,#1
  2⤵
  PID:4800

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
1⤵
PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads