Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-05-2023 06:53
Behavioral task
behavioral1
Sample
871598b9007f599b43a1abf255f950b63e6765685ae3d45756bf05fa82e337b1.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
871598b9007f599b43a1abf255f950b63e6765685ae3d45756bf05fa82e337b1.dll
Resource
win10v2004-20230220-en
General
-
Target
871598b9007f599b43a1abf255f950b63e6765685ae3d45756bf05fa82e337b1.dll
-
Size
201KB
-
MD5
77099bbd1007b7f819a7e1289194aeaf
-
SHA1
00cfcfd799a3d94b8705af082693b23da7d97afb
-
SHA256
871598b9007f599b43a1abf255f950b63e6765685ae3d45756bf05fa82e337b1
-
SHA512
1b7d75a2b76c1e0eecd0c969d32c6119eff3ad3aa3325d8208d3b8e029c70bae835c023ba38c1f4215f5ecfa979d348d6e9271b0a753b1e1c2a928cf06ae6b2c
-
SSDEEP
3072:Ya9hHwjrCHZaOLZL/WlY5HI85pkzYBIlRDCNDPOx3Q0dEEaO2AL5bnIDQ8vzR4:Ya9haCN7kY6L4qg0OO2QnCza
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1960 2012 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 2012 2000 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1960 2012 rundll32.exe WerFault.exe PID 2012 wrote to memory of 1960 2012 rundll32.exe WerFault.exe PID 2012 wrote to memory of 1960 2012 rundll32.exe WerFault.exe PID 2012 wrote to memory of 1960 2012 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\871598b9007f599b43a1abf255f950b63e6765685ae3d45756bf05fa82e337b1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\871598b9007f599b43a1abf255f950b63e6765685ae3d45756bf05fa82e337b1.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2843⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-55-0x0000000010000000-0x0000000010064000-memory.dmpFilesize
400KB
-
memory/2012-56-0x0000000010000000-0x0000000010064000-memory.dmpFilesize
400KB
-
memory/2012-57-0x0000000010000000-0x0000000010064000-memory.dmpFilesize
400KB
-
memory/2012-54-0x0000000010000000-0x0000000010064000-memory.dmpFilesize
400KB
-
memory/2012-58-0x0000000010000000-0x0000000010064000-memory.dmpFilesize
400KB