Analysis
-
max time kernel
113s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
Resource
win10v20210410
General
-
Target
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll
-
Size
80KB
-
MD5
340d2d405126ba3e5edc8337a6ddb5b5
-
SHA1
c83f4535ce3c47fa2edf3d94e2e5b153f757b8f4
-
SHA256
4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f
-
SHA512
180aa77d588bca616ac3a2db235e692006b93b7390948ee18c0aa59a6b1cea9f41f641a84a55df77a5da5788b6df7e9752fb17a242169b0961f8a9799c0f60f6
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\eeoacwbkuft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\tdnwme.exe\"" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1968 1836 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exeWerFault.exepid process 1836 rundll32.exe 1968 WerFault.exe 1968 WerFault.exe 1968 WerFault.exe 1968 WerFault.exe 1968 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1968 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1968 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 1836 792 rundll32.exe rundll32.exe PID 1836 wrote to memory of 1968 1836 rundll32.exe WerFault.exe PID 1836 wrote to memory of 1968 1836 rundll32.exe WerFault.exe PID 1836 wrote to memory of 1968 1836 rundll32.exe WerFault.exe PID 1836 wrote to memory of 1968 1836 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4db103f3bef49c43c766bc563068be45d617e7dd47d338fe592810c2bf04bc2f.sample.dll,#12⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 2363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken