0f3bfdf1fccfa3d80af6edb597a5071099825be60264c230a0da29ca49dfd31a | Triage

Analysis

max time kernel
139s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:18

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/System.dll
Size

11KB
MD5

fbe295e5a1acfbd0a6271898f885fe6a
SHA1

d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256

a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512

2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
SSDEEP

192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4356 220 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5032 wrote to memory of 220	5032	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 220	5032	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 220	5032	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
2⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 612
3⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 220 -ip 220
1⤵
PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads