cc113937163765301a8ff0ba15638e3b56db08f48f6a535b2e60f7c47a4e7070 | Triage

Analysis

max time kernel
138s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2024 23:36

Sharing

Report Analysis Logs

General

Target

$3/VST Support/NotePerformer32.dll
Size

6.3MB
MD5

d14ae277899149fa0a716690781d5a4c
SHA1

9a746590c30331eb090c231a34cba9e49d2c6c3c
SHA256

bf86ac1b5d0bf425c20b084db568e7aa51be4843494048acf394cbe0d501bf93
SHA512

2b50a5ffe0e329587a7521f2d5d8abfe92ac22b0ee3025532473c7b3d81b95f02d158e8df8f7935971291a848c95ae48e33e87680190ab27c06ec289d9530c53
SSDEEP

49152:On92ef7Mjll9blidjFoEltkCUHgWNQIHEPeqLh7:plUoPCUHgWkeq

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4400	2840	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5492 wrote to memory of 2840	5492	rundll32.exe	79
PID 5492 wrote to memory of 2840	5492	rundll32.exe	79
PID 5492 wrote to memory of 2840	5492	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\$3\VST Support\NotePerformer32.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\$3\VST Support\NotePerformer32.dll",#1
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 556
    3⤵
    - Program crash
    PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2840 -ip 2840
1⤵
PID:4380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads