5d03aa31e99aec7138033b75ccac3012336305861abfca05d5a55e9d78476879 | Triage

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 06:13

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/nsExec.dll
Size

6KB
MD5

143e45d5929ba564ba0c3a0773be76e6
SHA1

c7e108ad681dd19afc646a43f7ce757388653f57
SHA256

8459feb67b7eb0caaaed607e0f36c8d4979abf1bad87e7f1c7c2b97c73174d6d
SHA512

1114403b9af202396ffe32610e1160313ff22c488f87b4a8f771d14fda02a954af7beacad5655143dafdf0af9a76b2a0d5c121ef57819e0567c367578482f003
SSDEEP

96:T7fhZwXd8KgEbAa9PweF1WxD8ZLMJGgmkN238:0N8KgWAuLWxD8ZAGgmkN

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4532 3828 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3660 wrote to memory of 3828	3660	rundll32.exe	rundll32.exe
PID 3660 wrote to memory of 3828	3660	rundll32.exe	rundll32.exe
PID 3660 wrote to memory of 3828	3660	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
2⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 612
3⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3828 -ip 3828
1⤵
PID:4488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads