Analysis
-
max time kernel
179s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:36
Behavioral task
behavioral1
Sample
18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll
Resource
win10v2004-20221111-en
General
-
Target
18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll
-
Size
142KB
-
MD5
a4aec66afeec77b507b87d5e9956c7fe
-
SHA1
8481cc4e2daa07f79039b15c565f9ed416e44d15
-
SHA256
18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c
-
SHA512
283b4bcffd33531957368ee94683ec95327f0d854a0c5b453b4381cf4a6e214b156ccdbfc6e326199d6dd74696ed6c69c68422dfd1700224d41391776252d826
-
SSDEEP
3072:Jb6dmDS43k8QFvSxMoj1xGL7oZGexwi/YCRGgDkZaTBw0i:d6dmO40jFvSxMQ6L8FxwiUR2BC
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1568-133-0x0000000000A70000-0x0000000000AAB000-memory.dmp vmprotect behavioral2/memory/1568-134-0x0000000000A70000-0x0000000000AAB000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1568 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3408 1568 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1360 wrote to memory of 1568 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 1568 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 1568 1360 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18d2db52576ef0f7711256cfbc31ccc5ad8bb9b1a729d702ec07046e08b24c2c.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 5683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 15681⤵