cc113937163765301a8ff0ba15638e3b56db08f48f6a535b2e60f7c47a4e7070 | Triage

Analysis

max time kernel
83s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2024 02:05

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/System.dll
Size

11KB
MD5

3c795e8d45946e7bb723da51273cc66c
SHA1

9ec19352414b6cd56e00b331c5ede23b78d683e5
SHA256

c94b0f1608fb41e712e153d8f9238b1f5116a336fa77adb00f2c8be0278a85b3
SHA512

d8446afb1a723c5759fba192272bf07d6c168dceb690992911170d0a4fa509ad2a11ab8c8c67ca58ef1e3cdbd4b2259f61bf561ce82e4605557dd6d9c375cc46
SSDEEP

192:w5WIHJ56sqYD43B2EU8ehkef+RIb8y/l70IOdmPIUWPs:BR6HhZMI99VRWP

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	2076	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2076	4512	rundll32.exe	80
PID 4512 wrote to memory of 2076	4512	rundll32.exe	80
PID 4512 wrote to memory of 2076	4512	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 460
    3⤵
    - Program crash
    PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2076 -ip 2076
1⤵
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads