ea126bc5f10a51b1750b13e72c428811f5e6d54c835f39f0af0e6e3551432374 | Triage

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 00:00

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/ToolTips.dll
Size

4KB
MD5

9a0da2692764bb842411a8b9687ebbb7
SHA1

5c3a459faa08a704bdf162476897ad4580ae39bd
SHA256

28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb
SHA512

814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed
SSDEEP

48:apm2+v7BWCLWQqLa7JZ0ZK59HXesxdrqZZSakw6/K:Ymjv7BWoTicJZ0ZKPHXVx1MOw6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	1520	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1520	5068	rundll32.exe	84
PID 5068 wrote to memory of 1520	5068	rundll32.exe	84
PID 5068 wrote to memory of 1520	5068	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ToolTips.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ToolTips.dll,#1
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 616
    3⤵
    - Program crash
    PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1520 -ip 1520
1⤵
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads