3fe1f468e3ba9b4adb193fc391cbecede89148cf711c1481644f82d9d36afc56 | Triage

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 08:56

Sharing

Report Analysis Logs

General

Target

$TEMP/kcheck.dll
Size

3KB
MD5

d7abd1fa2c2bf8d37b38851d498bf4bf
SHA1

4701dfb6ccab99988278540c4326c09ea7a2551a
SHA256

e11a73b3bc733d4ccb6fc334a1e205e5a8b5183bf376f0b268f900b3165d5613
SHA512

1e654cabdb8f850da70f6c98eb017c649cbb14a4a69f5848dd2753dcfb78b256c45cb6fefad3be13fe00dcf51fcb1b526b5226d4a6d31e8fbaa29b24398cd15f

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral18/memory/4696-0-0x0000000010000000-0x0000000010008000-memory.dmp	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral18/memory/4696-0-0x0000000010000000-0x0000000010008000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4696	1644	rundll32.exe	83
PID 1644 wrote to memory of 4696	1644	rundll32.exe	83
PID 1644 wrote to memory of 4696	1644	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kcheck.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kcheck.dll,#1
  2⤵
  PID:4696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4696-0-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download