Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 06:51
Behavioral task
behavioral1
Sample
28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll
Resource
win7-20220715-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll
Resource
win10v2004-20220721-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll
-
Size
5.7MB
-
MD5
0c1f5ed66819d2e2c6ef7abcced5ce6a
-
SHA1
26bc4206d03a4bbad833221c6ac56a9914d4c887
-
SHA256
28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279
-
SHA512
7447c813dc005ca4217ba99ea10a02f6b3cbee5d6376acf571be28bf0883595399c4ae0bc5372ffc4b1cb7ac266681078e7b48d8f73994edc3a61f0510b3affc
Score
8/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4432-131-0x0000000010000000-0x0000000010970000-memory.dmp vmprotect behavioral2/memory/4432-132-0x0000000010000000-0x0000000010970000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4432 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4432 rundll32.exe 4432 rundll32.exe 4432 rundll32.exe 4432 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 856 wrote to memory of 4432 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 4432 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 4432 856 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28b4bee809849a0206dab1618e4d471e887c9344b5852ede895cd6862f573279.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses