ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd | Triage

Analysis

max time kernel
89s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 10:49

Sharing

Report Analysis Logs

General

Target

sqlcipher32.dll
Size

531KB
MD5

d29fb377305d23499a4ec41afd57dcdd
SHA1

adc221f02c7b8668119d20fd0fefc53b62d9b710
SHA256

e91c75224702835bf124efd0850ac1db3eb14f4fd2b5ee89d15838f9fe16f9ea
SHA512

f31f92459f8db48b901176a91d8039c37bb3c2cce50f9217e53f2aa91605b63a2077ef7f0ea6115480f11b387adbef0060413cc92b37edc4b6229a7b2fa90e3b
SSDEEP

12288:UwObJjxx52AyV7VjwSKij35F2wXA3NG8WtV9VeZg/n8x:UwObJjxx52tVESKijJFBA3NqtDV10x

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3412	3920	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3920	3416	rundll32.exe	80
PID 3416 wrote to memory of 3920	3416	rundll32.exe	80
PID 3416 wrote to memory of 3920	3416	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlcipher32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlcipher32.dll,#1
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 492
    3⤵
    - Program crash
    PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 3920
1⤵
PID:4992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads