1f6498ea52f6e948b417b405c460ddeccf8243c91b71e166a5c627f3a97b9dec | Triage

Analysis

max time kernel
84s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2023 03:05

Sharing

Report Analysis Logs

General

Target

Windows/resource/iawin32.dll
Size

240KB
MD5

85e608d4cf8c2f666ae12c023d6bcb76
SHA1

ab9e044095decade3dd32c4a1e65054f5c22bfee
SHA256

a153ec236c71829c51149bd05be2f978c68dde282deda02de16623a46c05d083
SHA512

2d5ee47159ee857f5f334694eba461a1eb0c62d4617c4a289c080f738c5de98785309188be78fc3a1ffff4114e6b4d65b41aaa8dc4b3d456e8a12f57e19d2159
SSDEEP

6144:tRUYp2eeHfishHq4uoDmqC0m2pY5oQwR:zv9eHlhsUmqTmmlR

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1508 4124 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2692 wrote to memory of 4124	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 4124	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 4124	2692	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows\resource\iawin32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows\resource\iawin32.dll,#1
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 624
    3⤵
    - Program crash
    PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4124 -ip 4124
1⤵
PID:5100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4124-133-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download