94bafd8f48d59d13951e59a5d657c71a3f4f922a7d51f6d4af6db1de48109754 | Triage

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 16:09

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/NSISdl.dll
Size

79KB
MD5

f7902c17e252d1200eabb3416da5799c
SHA1

348740ffdaf35870c307e0bca270b511c3dd6b6f
SHA256

3f68a157046e58f9f04d1361ef8bbac46435f242f0a3d9196917466061a54465
SHA512

26a5b86d292bac87f1baf7d79482d21ba9da731a795f70c40446ac52f6cde0a0a103ce94b87866fff868bf3bc1fe55e5f9ba95682ef025faa44901c1d8122cfb
SSDEEP

1536:WEvXaE4RRX5V1QGJkcQ5qm0NRUgn7OKg:uE4Rp5UEeyUgn7OKg

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4736	3536	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3536	3216	rundll32.exe	83
PID 3216 wrote to memory of 3536	3216	rundll32.exe	83
PID 3216 wrote to memory of 3536	3216	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 624
    3⤵
    - Program crash
    PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3536 -ip 3536
1⤵
PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3536-0-0x0000000070C00000-0x0000000070C1E000-memory.dmp

Filesize
120KB

Download