35a51326ab147368cf6078a8828fd8a872a94fcaaeb1511c3bd82665daa26fac | Triage

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 04:30

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/esbdhnf.dll
Size

166KB
MD5

5e424d2a9625073f5d210085939cb45a
SHA1

b1880f0cd48a05aeb3e3fa6aca453ceb2ee8844a
SHA256

cf70f58f97c6040c3c1e39a2808d9feeb46062d1bd5093cff10a9bac320fc4de
SHA512

063da8df2fd23299b6672107f9885958270d2e0483d78a1071a83bf1174a3f4514faa447e80ea1cf5249ffdc805503a244385559f3d72fb5a3b07f66eac81d08
SSDEEP

3072:G560cP4TkquK4/iy7YVGikCdorv+8q9swY/aoplX:k60cPj6aYjdoLVyoplX

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	2520	WerFault.exe	81

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2520	2848	rundll32.exe	81
PID 2848 wrote to memory of 2520	2848	rundll32.exe	81
PID 2848 wrote to memory of 2520	2848	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\esbdhnf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\esbdhnf.dll,#1
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 600
    3⤵
    - Program crash
    PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2520 -ip 2520
1⤵
PID:4236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads