ebfc2b62ea889cf96c4eb0b649672c6b713ad163fd5818c2f46a9b5726dd80fb | Triage

Analysis

max time kernel
139s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:46

Sharing

Report Analysis Logs

General

Target

客户端/20201108/libcro.dll
Size

74KB
MD5

eb21f4f06f900c89519ccf17a0ead35b
SHA1

ad30037f31f910ece2ba79fa30e55128d63059e6
SHA256

618e38e0e5ccdefbd4bc4987f60c40f1c2f733c2441ed2026d1530910d7196bd
SHA512

dd58edad7fdd0e8f352805f75bff7bfda1b016f0815b8df68b9947e456b47f140fc470dbf9ec37adc724601c27ca7276ba88bdc62573b44167bcd12c19cc482a
SSDEEP

1536:TW4k95Lkeu4BImLAEgioTc8AJsWjcd53aI/n5K:TWn5IyVGF53nc

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3964 wrote to memory of 1464	3964	rundll32.exe	rundll32.exe
PID 3964 wrote to memory of 1464	3964	rundll32.exe	rundll32.exe
PID 3964 wrote to memory of 1464	3964	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\客户端\20201108\libcro.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\客户端\20201108\libcro.dll,#1
2⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...