Analysis

  • max time kernel
    143s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2023, 15:34

General

  • Target

    987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll

  • Size

    352KB

  • MD5

    4e57bc503140d50f5937444aa7719ad2

  • SHA1

    d44dbfe2f0112a72969e7dcd97e969a2d1bf7cb4

  • SHA256

    987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48

  • SHA512

    4cb22c31bd3e170763d45ad3816d12884232625a41aa7462c45337ddd4be7635cdbb94ef177be8ca8e3a895ff1122e6fc16068d4cd4a1c8a33151cbce44b59b9

  • SSDEEP

    6144:dlZfHJBfoMMiKYYXytfltzOWsDGCitOiXfG5iIZE90:btHJtoMMiYXytflttsDGCitZf6iIO9

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Modifies registry class 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,#1
      2⤵
        PID:3048
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 416 -p 3864 -ip 3864
      1⤵
        PID:1336
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3864 -s 4240
        1⤵
        • Program crash
        PID:1560
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4652
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4080
        • \??\c:\Windows\System32\rundll32.exe
          rundll32.exe c:\Users\Admin\AppData\Local\Temp\987ac6627a2e59290a15e91ec91b9028106e7f9ebce059a2b54cbbb4b30c3d48.dll,RS32
          2⤵
            PID:4664

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

          Filesize

          36KB

          MD5

          8aaad0f4eb7d3c65f81c6e6b496ba889

          SHA1

          231237a501b9433c292991e4ec200b25c1589050

          SHA256

          813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

          SHA512

          1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

          Filesize

          36KB

          MD5

          406347732c383e23c3b1af590a47bccd

          SHA1

          fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

          SHA256

          e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

          SHA512

          18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

        • memory/4652-139-0x0000028EABCA0000-0x0000028EABCC0000-memory.dmp

          Filesize

          128KB

        • memory/4652-144-0x0000028EAC070000-0x0000028EAC090000-memory.dmp

          Filesize

          128KB

        • memory/4652-142-0x0000028EABC60000-0x0000028EABC80000-memory.dmp

          Filesize

          128KB

        • memory/4652-326-0x00000286A9000000-0x00000286AA92F000-memory.dmp

          Filesize

          25.2MB

        • memory/4652-710-0x00000286A9000000-0x00000286AA92F000-memory.dmp

          Filesize

          25.2MB