Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-05-2021 19:25
Static task
static1
Behavioral task
behavioral1
Sample
4802545.xs2.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
4802545.xs2.dll
-
Size
110KB
-
MD5
cfb94c893280fd1edd40a4c74031727a
-
SHA1
9bf1f365e14842621854282f976b890478816a77
-
SHA256
3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4
-
SHA512
31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988
Malware Config
Signatures
-
Nloader Payload 1 IoCs
resource yara_rule behavioral1/memory/1920-61-0x00000000000B0000-0x00000000000B5000-memory.dmp nloader -
Blocklisted process makes network request 1 IoCs
flow pid Process 6 1920 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1920 1088 rundll32.exe 25 PID 1088 wrote to memory of 1920 1088 rundll32.exe 25 PID 1088 wrote to memory of 1920 1088 rundll32.exe 25 PID 1088 wrote to memory of 1920 1088 rundll32.exe 25 PID 1088 wrote to memory of 1920 1088 rundll32.exe 25 PID 1088 wrote to memory of 1920 1088 rundll32.exe 25 PID 1088 wrote to memory of 1920 1088 rundll32.exe 25
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#12⤵
- Blocklisted process makes network request
PID:1920
-