e161926dbde52476ecadf490e4d2f8292c28bab433f6d1bc427ae13589eed769 | Triage

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:02

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/Processes.dll
Size

35KB
MD5

2cfba79d485cf441c646dd40d82490fc
SHA1

83e51ac1115a50986ed456bd18729653018b9619
SHA256

86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512

cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
SSDEEP

768:uxEiycFoaj/+WSiJfmjvab7L/cUf7IIlMLRF:uxEm7sgfmjy//cgdlM/

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1208 1772 WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 1772	2068	rundll32.exe	rundll32.exe
PID 1772 wrote to memory of 1208	1772	rundll32.exe	WerFault.exe
PID 1772 wrote to memory of 1208	1772	rundll32.exe	WerFault.exe
PID 1772 wrote to memory of 1208	1772	rundll32.exe	WerFault.exe
PID 1772 wrote to memory of 1208	1772	rundll32.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 228
1⤵
- Program crash
PID:1208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2068

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...