ae391fc544c6a8ba2ae2b03d2aa1926148603f55a1d56aa23ae26ae07eb6cda1 | Triage

Analysis

max time kernel
451s
max time network
1170s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
06-04-2024 21:07

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/BgWorker.dll
Size

2KB
MD5

33ec04738007e665059cf40bc0f0c22b
SHA1

4196759a922e333d9b17bda5369f14c33cd5e3bc
SHA256

50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
SHA512

2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3532	1624	WerFault.exe	76

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1624	3328	rundll32.exe	76
PID 3328 wrote to memory of 1624	3328	rundll32.exe	76
PID 3328 wrote to memory of 1624	3328	rundll32.exe	76

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 452
    3⤵
    - Program crash
    PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1624 -ip 1624
1⤵
PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads