Analysis
-
max time kernel
146s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:08
Behavioral task
behavioral1
Sample
97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll
Resource
win10v2004-20220812-en
General
-
Target
97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll
-
Size
107KB
-
MD5
177a852dc41723876b28dee508a99ee6
-
SHA1
45e87a13b9894bbfdd1a9d7e34153ce9fe8010a6
-
SHA256
97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9
-
SHA512
18ee953acad7c6b4e59c7dcddf9711c2688ee8f665610a03434fad15e2758b249f76c0bfc012b0ddf2e9f8b9c528dd98d353afcf4dcde6c4892254af1b21ce8b
-
SSDEEP
3072:3zKvSm7W7Ju3hrr/OFAS0M+d3ddgS1LkC/NNg:3zKamM8r/OFASl+d3YC/Hg
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1260-133-0x0000000075690000-0x00000000756C2000-memory.dmp vmprotect behavioral2/memory/1260-134-0x0000000075690000-0x00000000756C2000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4940 1260 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3796 wrote to memory of 1260 3796 rundll32.exe rundll32.exe PID 3796 wrote to memory of 1260 3796 rundll32.exe rundll32.exe PID 3796 wrote to memory of 1260 3796 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97baefd417b330aa81c8dfe5087522099bf248287cbac9825b8b90f588881cf9.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 5803⤵
- Program crash
PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1260 -ip 12601⤵PID:3540