502a0e685078b5c44fd566ea2f14c7f998fbb1d04f6527a5c289bc661e6b9944 | Triage

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 12:04

Sharing

Report Analysis Logs

General

Target

SFhelper.dll
Size

54KB
MD5

742b299f76eeffe057a63574c295ce75
SHA1

b7ab39b8c0958885b55ff6ca4bce31d077445596
SHA256

887634e1ad732a47bb0823144957b18e5376dac6dc228c4e69c8bf1dc99de34a
SHA512

ad539f025dbd38fcb8dcc3ba8cb571a51fc7c94ef833ee1e4f980338e6f0ef9a3cada0cf8707b2cefaeee15ba35f35a75822f8c85e34052ce5ba44af3abbbef2
SSDEEP

1536:HXyKXRJLlX1RDFUaKXLXgWknZGUGCWg9HuARKgy:iKX9FUaKGWg9HuARK7

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3192 wrote to memory of 4276	3192	rundll32.exe	rundll32.exe
PID 3192 wrote to memory of 4276	3192	rundll32.exe	rundll32.exe
PID 3192 wrote to memory of 4276	3192	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SFhelper.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\SFhelper.dll,#1
  2⤵
  PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4276-0-0x0000000000720000-0x0000000000733000-memory.dmp

Filesize
76KB

Download