f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f | Triage

Analysis

max time kernel
132s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 21:29

Sharing

Report Analysis Logs

General

Target

libssh2.dll
Size

192KB
MD5

d69d6fa9dfe91dcde26aa2aa4bf9289e
SHA1

c756d3b14be75182f3c504f1574b418cf07152e7
SHA256

0a1a25372a8025181699bf4f999a0b05c7958b7e4cc33ea37a9ed63bc2b11f5b
SHA512

aa3325a69a1d8698d5fcfadddcb3bb1b9ef73e9aca73347ef56d4a7b5811b1091e8fbbd0155f2852ae9f2a90c66034692354bf210bfbfd4a95de115208aa9bda
SSDEEP

6144:OBPzw/U4fcXoLRUsqJN4G8ISkelY3KMJWZ0S/:OBbwM4fcXoesS+G8RkXh

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
888	4276	WerFault.exe	89

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4276	4136	rundll32.exe	89
PID 4136 wrote to memory of 4276	4136	rundll32.exe	89
PID 4136 wrote to memory of 4276	4136	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libssh2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\libssh2.dll,#1
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 628
    3⤵
    - Program crash
    PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4276 -ip 4276
1⤵
PID:3356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads