Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
20-11-2023 13:23
Behavioral task
behavioral1
Sample
1988-1-0x0000000000170000-0x0000000000177000-memory.dll
Resource
win7-20231023-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
1988-1-0x0000000000170000-0x0000000000177000-memory.dll
Resource
win10v2004-20231023-en
2 signatures
150 seconds
General
-
Target
1988-1-0x0000000000170000-0x0000000000177000-memory.dll
-
Size
28KB
-
MD5
1944280d47c37f646f309c1ad8a0bc63
-
SHA1
cb76121d0a8698469931747a626d2cc3470b8199
-
SHA256
2c1bbcbcfbb3476b9c3735de13e01a32246d7b0b4106e6d5a1afa8389f0eac21
-
SHA512
edda3a8be4bbf436945d93bb490fd2ceba79d664677374f8efc9920c2d0f7fd4207d266e76fe6246265883f8b29bd41920ca4e8e59c5adae422d0a85fb25d58a
-
SSDEEP
192:RnyGEfkfC4t+ZuGZ1W58BI2daFX4/ZtZUZSAGT/xOGdWoZ/ik8Kja1cDHs:YR8fBQZuGZw5p2do6GTgWoZ/iQW1c
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2852 2760 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2760 2580 rundll32.exe rundll32.exe PID 2760 wrote to memory of 2852 2760 rundll32.exe WerFault.exe PID 2760 wrote to memory of 2852 2760 rundll32.exe WerFault.exe PID 2760 wrote to memory of 2852 2760 rundll32.exe WerFault.exe PID 2760 wrote to memory of 2852 2760 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1988-1-0x0000000000170000-0x0000000000177000-memory.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1988-1-0x0000000000170000-0x0000000000177000-memory.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1963⤵
- Program crash
PID:2852
-
-