7f1b25fe9d8244cb85dc9e64f1f20cb67635f85492cae92dcf790bdc6da56bbb

Analysis

max time kernel
41s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 05:40

Target

276e1ad179a2f5e68059eaf3be065938_JaffaCakes118.dll
Size

38KB
MD5

276e1ad179a2f5e68059eaf3be065938
SHA1

316a9efbb7a8da60fb2f2c231184d200e8f94f1c
SHA256

7f1b25fe9d8244cb85dc9e64f1f20cb67635f85492cae92dcf790bdc6da56bbb
SHA512

9c6f3fe01348f5f23d9529db3a2f3989c78298a4f61c855797fae7d8a508a4dd934b1bc501be93c08a093875bea602e5936116d7fcce95d149b86e0ecd431980
SSDEEP

768:5SphF6yi/fB8pYu1wnBNJrhPlkn39YWkPoj0IrfM+nqWgG8F:5Sd0+pHYBNRhPlk30PTIrfMfWg

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1328	1876	rundll32.exe	80
PID 1876 wrote to memory of 1328	1876	rundll32.exe	80
PID 1876 wrote to memory of 1328	1876	rundll32.exe	80
PID 1328 wrote to memory of 2384	1328	rundll32.exe	81
PID 1328 wrote to memory of 2384	1328	rundll32.exe	81
PID 1328 wrote to memory of 2384	1328	rundll32.exe	81
PID 2384 wrote to memory of 1056	2384	net.exe	83
PID 2384 wrote to memory of 1056	2384	net.exe	83
PID 2384 wrote to memory of 1056	2384	net.exe	83
PID 1328 wrote to memory of 3672	1328	rundll32.exe	84
PID 1328 wrote to memory of 3672	1328	rundll32.exe	84
PID 1328 wrote to memory of 3672	1328	rundll32.exe	84
PID 3672 wrote to memory of 4628	3672	net.exe	86
PID 3672 wrote to memory of 4628	3672	net.exe	86
PID 3672 wrote to memory of 4628	3672	net.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\276e1ad179a2f5e68059eaf3be065938_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\276e1ad179a2f5e68059eaf3be065938_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:1056
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:4628

memory/1328-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1328-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download