152ed75bb4b87c3830c6b353a2bf84cb6a4ea1ff9450207a7ccf07d0e1c633da | Triage

Analysis

max time kernel
211s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 17:49 UTC

Sharing

Report Analysis Logs

General

Target

$TEMP/R2RIKM2.dll
Size

6KB
MD5

5ab745c63015a8f7ad2e352f3e27ffa6
SHA1

451f220317dcd0e1693d0c2c53bf504ba5021393
SHA256

f0daf110506df054c349be136157fca6b534bc36b6029fbd112ce9fea5772bce
SHA512

604959c4521a79adcd217e3a97ae480bfdccdfec05e77342b3ecf092606188ef0268c247739af1030dcd4358b7a6a6a4dfa4f689a773b4a049d18c3d6c40a531
SSDEEP

96:kLEVBzMjDWUymEi2A4PT88aU7a/9aDHJnHI3CWuhlvC5/iBwD35:PhyatiIT8/U7WaJHIKhlvC5/+o5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4432	3348	WerFault.exe	75

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3348	4400	rundll32.exe	75
PID 4400 wrote to memory of 3348	4400	rundll32.exe	75
PID 4400 wrote to memory of 3348	4400	rundll32.exe	75

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RIKM2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RIKM2.dll,#1
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 612
    3⤵
    - Program crash
    PID:4432

Network

DNS

26.211.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.211.222.173.in-addr.arpa

IN PTR

Response

26.211.222.173.in-addr.arpa

IN PTR

a173-222-211-26deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

15.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.173.189.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

57.110.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.110.18.2.in-addr.arpa

IN PTR

Response

57.110.18.2.in-addr.arpa

IN PTR

a2-18-110-57deploystaticakamaitechnologiescom

52.142.223.178:80

46 B
1

8.8.8.8:53

26.211.222.173.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

26.211.222.173.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

15.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

15.173.189.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

57.110.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

57.110.18.2.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads