4fd8ca190359ff01d12910001e22e3b55518efa5b1bc594667ebdcbf58f66a6c | Triage

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 16:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ReShade64.dll
Size

3.2MB
MD5

8a4db9e0d36671fb1ced5d91eefe5e91
SHA1

44deacd8627e8cbe67c0026031a83dd95a4f3c44
SHA256

32696801af665fee9a968893b67216f4957a85f1743bd9cf8c9b96afa4096923
SHA512

5b7242975b9e289f91e079a701587a32e920427393211d4164462a13d9de7b243833909d119f79269691e09c97a1c30628e8e8d61d678e750302824463f9c314
SSDEEP

49152:T4KqolX3u0RwVBPELJloh81MkhBrS72HwZl7en2RYPgai5:1lX+laJlZxh8DlE5i5

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2484	rundll32.exe
2484	rundll32.exe
2484	rundll32.exe
2484	rundll32.exe
2484	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2272	2484	rundll32.exe	28
PID 2484 wrote to memory of 2272	2484	rundll32.exe	28
PID 2484 wrote to memory of 2272	2484	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ReShade64.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2484 -s 144
  2⤵
  PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-0-0x00000000779D0000-0x00000000779D1000-memory.dmp

Filesize
4KB

Download