6bcfb8211b6cfd36c6864a4d9df4c19527e08d062865e29fa43fbb3d706052ca | Triage

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 05:50

Sharing

Report Analysis Logs

General

Target

ELSCore.dll
Size

59KB
MD5

72fac8dbe378d8c1fc82475350cde02b
SHA1

43c2bd4ffb8baf36cbc1802c49459b2915bbeca6
SHA256

6bcfb8211b6cfd36c6864a4d9df4c19527e08d062865e29fa43fbb3d706052ca
SHA512

07a4d9970b23e1ddac8b3f0ce80c3d096a8bd60f8b6016a3f2820afb92955c726ee6ecd7cf74054e7cc2b29c7ce74a13563d329edaac3b66dee7b74def9190a2
SSDEEP

1536:6+FIo02XLswLvljFpMuiTV+H+POePGpe4fYv2yHk:6+eo029LpiTV3POePme4s2yE

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3488	2640	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 2640	3088	rundll32.exe	83
PID 3088 wrote to memory of 2640	3088	rundll32.exe	83
PID 3088 wrote to memory of 2640	3088	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ELSCore.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ELSCore.dll,#1
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 612
    3⤵
    - Program crash
    PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2640 -ip 2640
1⤵
PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads