e7a092b0cef73c26119d5e638a8016f3f40ba2269cf66e0746c7b6356c1798f0 | Triage

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 06:54

Sharing

Report Analysis Logs

General

Target

KingRoot PC 1.5Beta/AdbTools.dll
Size

91KB
MD5

e891fe703e421cf0fab45daa66b6addc
SHA1

fcd00a0868ac4a87f8fcc3a969f4a6943e5c63b5
SHA256

49fe4dbfdafcb66c1692682ebc98fef9be76fc96f521b3c44b79a92a6faf14b2
SHA512

f3d6ee39aad2d39d1d8de2fd985581688f51bff34584510b9ba181c645c1a2aff7ad07e3b08e61f04e2bae7fbfa63ca476999330778c2ea52f09bc1e3bea49fd
SSDEEP

1536:DatWuNePW9HgGs3m67E+J3nOyOjPar1iTnLB4D3Ku:U39HiZnOapiB4D3Ku

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3356	2836	WerFault.exe	24

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2836	2744	rundll32.exe	24
PID 2744 wrote to memory of 2836	2744	rundll32.exe	24
PID 2744 wrote to memory of 2836	2744	rundll32.exe	24

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KingRoot PC 1.5Beta\AdbTools.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KingRoot PC 1.5Beta\AdbTools.dll",#1
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 612
    3⤵
    - Program crash
    PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2836 -ip 2836
1⤵
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads