deead1744cca257823cffb977b07d05f932fb902ce6e3ddedb4c667ca6aea021 | Triage

Analysis

max time kernel
157s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.dll
Size

537KB
MD5

1e1a81646c03eb695021d230a103f66e
SHA1

a4d7eb70992ce42be3a1ab349c40ee4620041f32
SHA256

a257fda50a25ddbd04dd93348b126d78153207dbfdc1ea643a5a9b382799d5bc
SHA512

f1ba36437713c17ccaf1aa7ec0b9170a5cd1980189cfb182e400c96f7572ec9592a90ec41ffabe538d726766ef2d5ee95517c9b75a14d7f9c3d114ac582ed70f
SSDEEP

12288:NSEgtSqY4OYVIDXbbbbbbbbbbbbbbbbbbbb6jn1E3I0zDWS+6:N7gAqYTYpJE3I0zDWR6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5000	2332	WerFault.exe	66

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2332	1156	rundll32.exe	66
PID 1156 wrote to memory of 2332	1156	rundll32.exe	66
PID 1156 wrote to memory of 2332	1156	rundll32.exe	66

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 868
    3⤵
    - Program crash
    PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2332 -ip 2332
1⤵
PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads