Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 05:00
Behavioral task
behavioral1
Sample
f89b786097ed604e74c4ca5e95e2e142cc53d1158ef9121fc7f1a92622070943.dll
Resource
win7-20240215-en
windows7-x64
3 signatures
150 seconds
General
-
Target
f89b786097ed604e74c4ca5e95e2e142cc53d1158ef9121fc7f1a92622070943.dll
-
Size
127KB
-
MD5
29200688371638751b3ed5422e2fadfb
-
SHA1
a172c955fcb32361c63bb6cc3072c7bd0de82ace
-
SHA256
f89b786097ed604e74c4ca5e95e2e142cc53d1158ef9121fc7f1a92622070943
-
SHA512
afa1b1be68d49f8bc7fa8f0626c0423a2196d70831d11f80a38be85a1330919c869fb97a14ae80f72eed6e759013b1430351883b2cfcf6765b8a6e7015eabe74
-
SSDEEP
3072:OMbIWiyr7pjvTooBFEbWwIUJlTBft3+1+N:OCIWiyr7JHn16lTBl3+1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cirobfak.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3688 3580 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2992 wrote to memory of 3580 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 3580 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 3580 2992 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f89b786097ed604e74c4ca5e95e2e142cc53d1158ef9121fc7f1a92622070943.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f89b786097ed604e74c4ca5e95e2e142cc53d1158ef9121fc7f1a92622070943.dll,#12⤵
- Drops startup file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3580 -ip 35801⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3580-0-0x0000000010000000-0x0000000010023000-memory.dmpFilesize
140KB