68ba050bc8dba981d55c1b543d999239b0fdf552b180042accd6fa30624c97d8 | Triage

Analysis

max time kernel
55s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:48

Sharing

Report Analysis Logs

General

Target

$TEMP/garibaldis.dll
Size

64KB
MD5

aa191c8977c64beb25e4cca96d001eaa
SHA1

0da1ca6efebe4b31e2cbb4947d7059eb4b30f73a
SHA256

0df5d18c3b7256f038c72a7d4f45cf26e9b3b5e72be948c63261956e267ac012
SHA512

5e8f4d62d1f7ea89f8da5176ff9d149be678e249add66ab0f90e988c892c4b2c1838b2bc7187b004c5028f1e85ea622efb1f14d246d9d9deb3d19cd8f260bb2e
SSDEEP

768:gbacCn6BXFGOUrCrS5tLcrUrlrNLA7/MYure8up1wtJzu6si1n:I5BVOrj5dcWlh2/MYpvwtF1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	1992	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1992	384	rundll32.exe	84
PID 384 wrote to memory of 1992	384	rundll32.exe	84
PID 384 wrote to memory of 1992	384	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\garibaldis.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\garibaldis.dll,#1
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 584
    3⤵
    - Program crash
    PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1992 -ip 1992
1⤵
PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads