ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd | Triage

Analysis

max time kernel
89s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 10:49

Sharing

Report Analysis Logs

General

Target

sqlcipher32.dll
Size

531KB
MD5

d29fb377305d23499a4ec41afd57dcdd
SHA1

adc221f02c7b8668119d20fd0fefc53b62d9b710
SHA256

e91c75224702835bf124efd0850ac1db3eb14f4fd2b5ee89d15838f9fe16f9ea
SHA512

f31f92459f8db48b901176a91d8039c37bb3c2cce50f9217e53f2aa91605b63a2077ef7f0ea6115480f11b387adbef0060413cc92b37edc4b6229a7b2fa90e3b
SSDEEP

12288:UwObJjxx52AyV7VjwSKij35F2wXA3NG8WtV9VeZg/n8x:UwObJjxx52tVESKijJFBA3NqtDV10x

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3412 3920 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3416 wrote to memory of 3920	3416	rundll32.exe	rundll32.exe
PID 3416 wrote to memory of 3920	3416	rundll32.exe	rundll32.exe
PID 3416 wrote to memory of 3920	3416	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlcipher32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlcipher32.dll,#1
2⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 492
3⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 3920
1⤵
PID:4992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads