40d529c56d6efc72ee0c2db380722e1e0fa0b6fb0034d1a1d78d370692089253 | Triage

Analysis

max time kernel
149s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 01:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/UserInfo.dll
Size

4KB
MD5

a6f622a2f12ac10bca04e23deff5cada
SHA1

abf851b5ccfb64004e9b49718a467bd754545887
SHA256

b8fa7b9393fff910144768588c471ca7c9ec98a2b8b186b2172b8ba7a5279500
SHA512

35c8b0db179104e638f1b40f3f8038a41fdc327e112de5cb0dbb97cbf1dfa276fcf6400fcb46b88cb5ba233ca769becbdb4b4d40920adca831e3c0f38193c50f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	1988	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1988	3244	rundll32.exe	82
PID 3244 wrote to memory of 1988	3244	rundll32.exe	82
PID 3244 wrote to memory of 1988	3244	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 612
    3⤵
    - Program crash
    PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1988 -ip 1988
1⤵
PID:468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads