eb679569bc6b727a0105e43035bb5734f1edc3aed047ddda1d8d0b6cc61e45fa | Triage

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 19:40

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/nsExec.dll
Size

6KB
MD5

b55f7f1b17c39018910c23108f929082
SHA1

1601f1cc0d0d6bcf35799b7cd15550cd01556172
SHA256

c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7
SHA512

d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa
SSDEEP

96:L7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN538:RbGgGPzxeX6D8ZyGgmkN

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	712	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 712	3480	rundll32.exe	84
PID 3480 wrote to memory of 712	3480	rundll32.exe	84
PID 3480 wrote to memory of 712	3480	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
  2⤵
  PID:712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 612
    3⤵
    - Program crash
    PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 712 -ip 712
1⤵
PID:3736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads