42b93254b754f4c8b4db78da230bd219e3cf6444f46369764939a6829fa62bb4 | Triage

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 17:07

Sharing

Report Analysis Logs

General

Target

HelpButton.dll
Size

28KB
MD5

6a0cb229593ec529e5c7e62c67aa542f
SHA1

30888613c9f44d9fa4a0adb0e5d575343dce6be7
SHA256

a7c597241392090a4d01e164db834fd5252d97fb9759be1d9684813aab68ae1e
SHA512

d44855dfdb2f338373ec140b2cfb83141396cc0810dc684fdef26828fa63afff43116be89e4c8b31f99dd0c5c01b36d565b9b0dd2ab5ff1a41d405779a83bb4d
SSDEEP

192:J6NjmJDXVyPdWKSWEUb50riU6kEDVInh+g8Ok1/akYaw9DAw59X:M0zyzSbeCGUz+I+XXYaw+w5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3904 2832 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3864 wrote to memory of 2832	3864	rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 2832	3864	rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 2832	3864	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HelpButton.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HelpButton.dll,#1
2⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 568
3⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 2832
1⤵
PID:1056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...