Analysis
-
max time kernel
277s -
max time network
335s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 07:32
Behavioral task
behavioral1
Sample
81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll
Resource
win10v2004-20221111-en
General
-
Target
81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll
-
Size
105KB
-
MD5
009786c930c56921c500d1d6ca1c47ef
-
SHA1
b3fedb32e8c6d44337bc2326409fe8db590a70b5
-
SHA256
81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b
-
SHA512
912fed66a7c21ec067a300204876fbb871efa17082fdf96e1de17852efab5458cacbe8e8da3eed6938ba9b162ec1f1c886a130df251cdd13f2c0f7d8a49b4b4a
-
SSDEEP
3072:GmwAu62lep2pdokh2uex6EcKXGTVz7Zm3rF:dbuTJdNo8EcKXGTVz7ZA
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5100-133-0x0000000074B80000-0x0000000074BA3000-memory.dmp vmprotect behavioral2/memory/5100-134-0x0000000074B80000-0x0000000074BA3000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 5100 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1652 5100 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4928 wrote to memory of 5100 4928 rundll32.exe rundll32.exe PID 4928 wrote to memory of 5100 4928 rundll32.exe rundll32.exe PID 4928 wrote to memory of 5100 4928 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81c2eee5021f9bd2eacd565ce2fd2036f73896c30c9f05d2c0158e8cc6fcd68b.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 5523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5100 -ip 51001⤵