1046cb0d7904a318c5a6876024258675439df692850e6a0e8ac0c03738551412 | Triage

Analysis

max time kernel
130s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/nzhwgiu.dll
Size

153KB
MD5

f10c402fbfc9943ab636c7210c2244dc
SHA1

446e86eb4f7537ca83e6b0eecf2588d1d2bdd2af
SHA256

5c2b117014d669f9304f2467f2ab6b492a4fd90ddae0ed779877cd0f507da25c
SHA512

ad2c9e2bd2b0295c7d8168560d1947d1d007afb5622e4802b5a813b585e4ced7fee935502482bd58c956b7b0a4541ca04fdcb3960c996b29637ba3db4e306f29
SSDEEP

3072:G8tEeGhEuaa6sjnWhIn4t52yLm+JG/HsCOyHQi:jtEL+Rt52dEGMyHQi

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4264	3516	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 3516	3952	rundll32.exe	84
PID 3952 wrote to memory of 3516	3952	rundll32.exe	84
PID 3952 wrote to memory of 3516	3952	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nzhwgiu.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nzhwgiu.dll,#1
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 600
    3⤵
    - Program crash
    PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3516 -ip 3516
1⤵
PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads