30202655ac09c4e87af419d8b461a2195fcc353f6ee7a6816b8075726e3e750b | Triage

Resubmissions

19/04/2024, 14:52

240419-r82wmafb32 10

19/04/2024, 14:48

240419-r6mnxsfa59 10

Analysis

max time kernel
90s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 14:52

Sharing

Report Analysis Logs

General

Target

dotNET_Reactor/NCC3.dll
Size

72KB
MD5

aa84f91edd922e7b3bb979e663c94f1a
SHA1

da46b9962a6c6cceef38c3e11b8b5bc9c1b536fa
SHA256

38274608d5a4b53ec22f8099f798ba46ce0ed41db65a33dfb3853f0dbf849f6f
SHA512

88392fc77a0300ece306908867be38011530d9eefdf003452ba86d82f2fa4a61c2b27a199f376ac307c095beaa4f52cefcab59c8b28fa187c0bca13f55f2d98b
SSDEEP

1536:a44UF/3qab79HtYDAD5MPEBq9iNv6qfSOBHfVW:a44G3fRMPiuuv6qqOBHfVW

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	1476	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1476	2848	rundll32.exe	79
PID 2848 wrote to memory of 1476	2848	rundll32.exe	79
PID 2848 wrote to memory of 1476	2848	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor\NCC3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor\NCC3.dll,#1
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 452
    3⤵
    - Program crash
    PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1476 -ip 1476
1⤵
PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads