e6f222cc5018a7309b688e65b543daaa39c33d46ae8e71e1dfb46fc2f8de4fa5

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 11:43

Target

41874d93fcd30adbe0cda33206a792e4_JaffaCakes118.dll
Size

37KB
MD5

41874d93fcd30adbe0cda33206a792e4
SHA1

2528f135bfce33e284dd9cff85223040cb268780
SHA256

e6f222cc5018a7309b688e65b543daaa39c33d46ae8e71e1dfb46fc2f8de4fa5
SHA512

927f8b08ba040e223f5a52a65fd4ee54d17b59e1a1fd6a4e6eab8be9efd3161b4bdbc9bede44c156c0e9551bf919d7653d0657c78922d9cc19d117b6d9b5a494
SSDEEP

768:QqtPUGqg2uHhgVFUQXXZ+bJFys6gepV8zt3BoOZM0nASb00Hm:QasGqgvOUGGJQ9gQV8J3BhZ8k00Hm

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4836	2312	rundll32.exe	83
PID 2312 wrote to memory of 4836	2312	rundll32.exe	83
PID 2312 wrote to memory of 4836	2312	rundll32.exe	83
PID 4836 wrote to memory of 2364	4836	rundll32.exe	85
PID 4836 wrote to memory of 2364	4836	rundll32.exe	85
PID 4836 wrote to memory of 2364	4836	rundll32.exe	85
PID 2364 wrote to memory of 4488	2364	net.exe	87
PID 2364 wrote to memory of 4488	2364	net.exe	87
PID 2364 wrote to memory of 4488	2364	net.exe	87
PID 4836 wrote to memory of 4220	4836	rundll32.exe	88
PID 4836 wrote to memory of 4220	4836	rundll32.exe	88
PID 4836 wrote to memory of 4220	4836	rundll32.exe	88
PID 4220 wrote to memory of 1832	4220	net.exe	91
PID 4220 wrote to memory of 1832	4220	net.exe	91
PID 4220 wrote to memory of 1832	4220	net.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41874d93fcd30adbe0cda33206a792e4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\41874d93fcd30adbe0cda33206a792e4_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:1832

memory/4836-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4836-1-0x0000000000E50000-0x0000000000E55000-memory.dmp

Filesize
20KB

Download
memory/4836-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4836-3-0x0000000000E50000-0x0000000000E55000-memory.dmp

Filesize
20KB

Download