78aefd46d31f2bb67f0b9bd0d831f10f21bfd9d44b9deebcfa52c45e85a72473

Analysis

max time kernel
131s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 16:17

Target

salinewin/PayloadMBR/Programs/QEMU/libcurl-4.dll
Size

295KB
MD5

baae54b1157b4c9587cceb4680b13da5
SHA1

939642b482d3e7697cec88d11aebc07bb076c2d1
SHA256

cde6e2b58641afd108ae2606337a71775021127a6109d6d64eadb056ca4598b7
SHA512

433f411f740bb2978a47776fa856874717531985ca3bfbf17cb2f6d1e106585132a7a90ef7b803a10f1293aaad63f2264ee8a8aea2806593d6944e189e0ff813
SSDEEP

6144:wK0GMvBI/QtKUbp9pDKRCzKuGpHTBI9yAR17rRH:wKEvB7Ke9pDXgHTdm7dH

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4596 4552 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4596	4552	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4300 wrote to memory of 4552	4300	rundll32.exe	rundll32.exe
PID 4300 wrote to memory of 4552	4300	rundll32.exe	rundll32.exe
PID 4300 wrote to memory of 4552	4300	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\salinewin\PayloadMBR\Programs\QEMU\libcurl-4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\salinewin\PayloadMBR\Programs\QEMU\libcurl-4.dll,#1
2⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 620
3⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4552 -ip 4552
1⤵
PID:396

memory/4552-0-0x0000000070800000-0x0000000070840000-memory.dmp

Filesize
256KB

Download