Analysis
-
max time kernel
178s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 10:53
Behavioral task
behavioral1
Sample
Wall Hack.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Wall Hack.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
x1nject.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
x1nject.exe
Resource
win10v2004-20221111-en
General
-
Target
Wall Hack.dll
-
Size
197KB
-
MD5
bee0a0d87f00d2b4e8125aafa5c35b05
-
SHA1
37527f723c138d4500e30e4a5c34ddecf50c5c34
-
SHA256
0a5e783e5bb7b812351eb372e324f2f33b5a6f943da0fee718af816e37ce8150
-
SHA512
b93b40476b79783e95aac3eb2d18b0e8ca6087547235b76056030d5affb707739f3a712ace26ca6a63e96a8ee4383ad2ee70b4ec3fb04d1c8b4298efbac8a69a
-
SSDEEP
3072:0gSzAsSZES2L8EH89KZGaUalyAJqO9rIm1EVPk6VXF2N1FFQirgPOlS5ss:0g7TES2XcAZQk6O9rIm1d6VFWs/5s
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2628-133-0x00000000752C0000-0x0000000075347000-memory.dmp vmprotect behavioral2/memory/2628-136-0x00000000752C0000-0x0000000075347000-memory.dmp vmprotect behavioral2/memory/2628-139-0x00000000752C0000-0x0000000075347000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2628 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1000 2628 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1700 wrote to memory of 2628 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2628 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2628 1700 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Wall Hack.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Wall Hack.dll",#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 8923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2628 -ip 26281⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2628-132-0x0000000000000000-mapping.dmp
-
memory/2628-133-0x00000000752C0000-0x0000000075347000-memory.dmpFilesize
540KB
-
memory/2628-136-0x00000000752C0000-0x0000000075347000-memory.dmpFilesize
540KB
-
memory/2628-137-0x0000000075080000-0x000000007520F000-memory.dmpFilesize
1.6MB
-
memory/2628-138-0x0000000075080000-0x000000007520F000-memory.dmpFilesize
1.6MB
-
memory/2628-139-0x00000000752C0000-0x0000000075347000-memory.dmpFilesize
540KB