12a7693a7510eb2c2eceb3e8d4af8d9649efbde812b408a616f17e3894ae86c5 | Triage

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 18:30

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/fflygad.dll
Size

170KB
MD5

530f95fe67c0c7bed4c7ded4cf06a28e
SHA1

1d9c908c98e0f1c4a0b5b53bbe010e4b7da98531
SHA256

24933c36862dae3b56dc20205ff9e2985174078bf98ea1c6d4e31ae727608f55
SHA512

c52b9d864413ac4108b6769dc397cf005ac97e2b7c628aec8e2762c652397b64f81c846de26a4af9231ab60f94a06fb765ad0846f304697c8e7670cbeaba296e
SSDEEP

3072:GN0ZUeRbV3oa22aGTwldKK/+vJwOzCClZAj:e0ZjRZ4zlL/L6TA

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

672 4944 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4508 wrote to memory of 4944	4508	rundll32.exe	rundll32.exe
PID 4508 wrote to memory of 4944	4508	rundll32.exe	rundll32.exe
PID 4508 wrote to memory of 4944	4508	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\fflygad.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\fflygad.dll,#1
2⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 600
3⤵
- Program crash
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4944 -ip 4944
1⤵
PID:3084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads