449bf249c170a1b3275c2a3ed45292244ecb49bf3be24ccef3809330de252d90 | Triage

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 13:38

Sharing

Report Analysis Logs

General

Target

$PLUGINSDIR/nsExec.dll
Size

6KB
MD5

520d07e4bdab538c87b797d687717639
SHA1

569e5afdeee3cd6b2a77f715828ccb97b470f5fa
SHA256

9bf2482d0cdd486e1ec6d21eec00ac95538a7513a7f3c3ba117f7bf21a2b8f2d
SHA512

2302618d7b22913b11b1127378109f476de60f4231de377c5d0509b332e47efc12ca3294f3b36621eb7eb5b62b0a9ca98b5ef9692a807de58efd753594ab0185
SSDEEP

96:Jt4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:Jt4Vlw1Iul5J8T1vK20I5VVGsb

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1480 5000 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5412 wrote to memory of 5000	5412	rundll32.exe	rundll32.exe
PID 5412 wrote to memory of 5000	5412	rundll32.exe	rundll32.exe
PID 5412 wrote to memory of 5000	5412	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
2⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 612
3⤵
- Program crash
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5000 -ip 5000
1⤵
PID:4208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...