Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 20:04
Static task
static1
Behavioral task
behavioral1
Sample
53072a24e3b1f2fe1816db6e385fa99103cd0516cff666af8779a929dc32543a.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
53072a24e3b1f2fe1816db6e385fa99103cd0516cff666af8779a929dc32543a.dll
Resource
win10v2004-20220812-en
General
-
Target
53072a24e3b1f2fe1816db6e385fa99103cd0516cff666af8779a929dc32543a.dll
-
Size
392KB
-
MD5
002054a312db2f55beff69ca1f7c2740
-
SHA1
fc091b63b6e4a8e44e2b410aa97379184f952f28
-
SHA256
53072a24e3b1f2fe1816db6e385fa99103cd0516cff666af8779a929dc32543a
-
SHA512
1de93a22ddd2577afbc08570b60c7ea4219cead9605dc11ae71b5c1a845005774493c79e879738f46111d707ec9bbea34e9842d9d91961917ca3cce69b9c8d7c
-
SSDEEP
12288:0Im/AaYTxHj5VHkFf0PXtWhwUQtmO5zlCSCUXt:0Im/AzHj5mw9KwEOdlaU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3176 rundll32mgr.exe -
resource yara_rule behavioral2/files/0x000b000000022f3a-134.dat upx behavioral2/files/0x000b000000022f3a-135.dat upx behavioral2/memory/3176-136-0x0000000000400000-0x0000000000465000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1160 3176 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1600 wrote to memory of 4736 1600 rundll32.exe 83 PID 1600 wrote to memory of 4736 1600 rundll32.exe 83 PID 1600 wrote to memory of 4736 1600 rundll32.exe 83 PID 4736 wrote to memory of 3176 4736 rundll32.exe 84 PID 4736 wrote to memory of 3176 4736 rundll32.exe 84 PID 4736 wrote to memory of 3176 4736 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53072a24e3b1f2fe1816db6e385fa99103cd0516cff666af8779a929dc32543a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53072a24e3b1f2fe1816db6e385fa99103cd0516cff666af8779a929dc32543a.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 2644⤵
- Program crash
PID:1160
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3176 -ip 31761⤵PID:4480
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD500260063013db3be7280fe6c8bebcdee
SHA15a8726718029414951def556bdb685d8295a72aa
SHA2568fddaaf95eddde603fe991804addbe202f908c291d02f63108bf111ff73b2914
SHA512802c81f12d5d06c8facf8c86c1f1f9a65673cefb59d87eb562e1126175ec7f3d6ee8c082eec7297566568150304899c64f9d7fb597307e7a7056a2f5258e211b
-
Filesize
105KB
MD500260063013db3be7280fe6c8bebcdee
SHA15a8726718029414951def556bdb685d8295a72aa
SHA2568fddaaf95eddde603fe991804addbe202f908c291d02f63108bf111ff73b2914
SHA512802c81f12d5d06c8facf8c86c1f1f9a65673cefb59d87eb562e1126175ec7f3d6ee8c082eec7297566568150304899c64f9d7fb597307e7a7056a2f5258e211b