011113ad23b3e3b43ad249b7499f80aba5ce154489cb971331f1803b29ca45c4 | Triage

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:29

Sharing

Report Analysis Logs

General

Target

avutil-56.dll
Size

487KB
MD5

a7e71ab4ee907403c68ac1b47a80a525
SHA1

c6f9e65493dae5dafc2ca8d366b4c2c3b3c2c7f9
SHA256

011113ad23b3e3b43ad249b7499f80aba5ce154489cb971331f1803b29ca45c4
SHA512

29d0aab60abb128659dd030221dd3bfdd9124b984c2022fd2774027020425097f7422aa89753383243838269ed1a6584dbad6421af8c4aecf9266941f4b3b9a3
SSDEEP

12288:0LG9HbAqzBTTDjEk0vYkLecZBR+ixw5os:Ws7Aq6k0vY8eRes

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	2064	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2064	968	rundll32.exe	82
PID 968 wrote to memory of 2064	968	rundll32.exe	82
PID 968 wrote to memory of 2064	968	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\avutil-56.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\avutil-56.dll,#1
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 600
    3⤵
    - Program crash
    PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064
1⤵
PID:3764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-0-0x0000000074A50000-0x0000000074CD8000-memory.dmp

Filesize
2.5MB

Download