d475fc9c05d4723cb85fdd92dc1a1ecea8f5d9a2c9601eb3042769d9eefbe5df

Analysis

max time kernel
52s
max time network
59s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-02-2023 08:28

Target

XWorm/Plugins/Computerdefaults.dll
Size

10KB
MD5

8d58916cbbd55a74d6b76e03d051f827
SHA1

520834e9fb0e129f0a291f9722d3b3873dd5e2c4
SHA256

e4cfebcb6c8e2fe772b81f765e0a6304444b1afa17a110f92a4c73e085b33c49
SHA512

fea73b858f96c7612f8ed278d74bfb1cd9df1857813c1837bc1dbfdbe2b127b373e5c03e984b09099be6d5f011322e75c0d49f2b55273291b29dab098e4ae578
SSDEEP

192:Py3eljoEikzHGOinDgyITjIW1PD/lf5lrljlQ0lIdlU5SxEFocTLuM:Py6riCmb0yITND/lfHiGofM

Score

1^/10

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1012 wrote to memory of 1060	1012	rundll32.exe	rundll32.exe
PID 1012 wrote to memory of 1060	1012	rundll32.exe	rundll32.exe
PID 1012 wrote to memory of 1060	1012	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm\Plugins\Computerdefaults.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm\Plugins\Computerdefaults.dll,#1
2⤵
PID:1060