c31559a2a00424708cba5db2052e7a9d8f3c75733ac6ba724192ab6780d54538 | Triage

Analysis

max time kernel
132s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 05:42

Sharing

Report Analysis Logs

General

Target

ExecModelClient.dll
Size

281KB
MD5

e4845aa27485797c99c8c69a48a4b319
SHA1

95dec5be229fba4c944fa9fc2d6892d6bd0baec8
SHA256

c31559a2a00424708cba5db2052e7a9d8f3c75733ac6ba724192ab6780d54538
SHA512

cde63ba1ba1e2135f63b7740a847f72ea83bb6931371e4fbf36fe948fb3e72faea1503c81c36163ef22dfa0733886d888251e58219a1bc62a829ebd86bc01c1b
SSDEEP

6144:1srmzoYFwVkosKGgc7sWausuC+S8dItA0MAMy0T0SBwyY:1mwCuC+SQLAMbBwyY

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	2020	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2020	2892	rundll32.exe	83
PID 2892 wrote to memory of 2020	2892	rundll32.exe	83
PID 2892 wrote to memory of 2020	2892	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ExecModelClient.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ExecModelClient.dll,#1
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 680
    3⤵
    - Program crash
    PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020
1⤵
PID:3696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads