Analysis
-
max time kernel
185s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll
Resource
win10v2004-20220812-en
General
-
Target
dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll
-
Size
764KB
-
MD5
d9dd7916400113ae5042bdfbb22e21f0
-
SHA1
8a849dc4dd182e8d886bfa81634fcfe4f2d3c5a1
-
SHA256
dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6
-
SHA512
e9e094297b2df93b98b54194e66c4cd45f8c932734cf486a324e52f914597fe7e3ac2528460dcd58237df024d504cecd1194e85f0e04129e7fe1f593b6b7abd9
-
SSDEEP
12288:tPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjuRP4itUMP:tPSH4hQP/RN2fLqNK9QV4qBH1O4i9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 4860 rundll32mgr.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32mgr.exe upx C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral2/memory/4860-136-0x0000000000400000-0x0000000000454000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4052 4860 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4944 wrote to memory of 4912 4944 rundll32.exe rundll32.exe PID 4944 wrote to memory of 4912 4944 rundll32.exe rundll32.exe PID 4944 wrote to memory of 4912 4944 rundll32.exe rundll32.exe PID 4912 wrote to memory of 4860 4912 rundll32.exe rundll32mgr.exe PID 4912 wrote to memory of 4860 4912 rundll32.exe rundll32mgr.exe PID 4912 wrote to memory of 4860 4912 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 2684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4860 -ip 48601⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
101KB
MD5162e85589a5dff74d7cf05dbc5d4e8e3
SHA112544e9343869586d1679db02119e127f43d986f
SHA2569cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976
SHA5127ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
101KB
MD5162e85589a5dff74d7cf05dbc5d4e8e3
SHA112544e9343869586d1679db02119e127f43d986f
SHA2569cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976
SHA5127ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7
-
memory/4860-133-0x0000000000000000-mapping.dmp
-
memory/4860-136-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/4912-132-0x0000000000000000-mapping.dmp