Analysis
-
max time kernel
161s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
cce3965795937eb00d13a2b48e8060ffb2ab2c972ede6014e559a37fb82a784c.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cce3965795937eb00d13a2b48e8060ffb2ab2c972ede6014e559a37fb82a784c.dll
Resource
win10v2004-20221111-en
General
-
Target
cce3965795937eb00d13a2b48e8060ffb2ab2c972ede6014e559a37fb82a784c.dll
-
Size
764KB
-
MD5
0188a751fdabf8b2f5131972c24efde5
-
SHA1
d4b89df6ab83d449ee0643722b245d63ef488e90
-
SHA256
cce3965795937eb00d13a2b48e8060ffb2ab2c972ede6014e559a37fb82a784c
-
SHA512
1035379ae19e4e6d2d6ddc9fafd406ea2b14c9c38ee2e1b57ec62814a5477262db0132705361555d9117fdbc0bd9d58b1e6ba85ff4371ef3fe77fa59426f24d8
-
SSDEEP
12288:JNIyZN4+Wv4PLq6Okrh9ZN/hs9Dsd+mFYdpnnZ:J9TPmirh9Zdh6xpZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5096 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3392 1264 WerFault.exe 83 2556 5096 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1264 1472 rundll32.exe 83 PID 1472 wrote to memory of 1264 1472 rundll32.exe 83 PID 1472 wrote to memory of 1264 1472 rundll32.exe 83 PID 1264 wrote to memory of 5096 1264 rundll32.exe 85 PID 1264 wrote to memory of 5096 1264 rundll32.exe 85 PID 1264 wrote to memory of 5096 1264 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cce3965795937eb00d13a2b48e8060ffb2ab2c972ede6014e559a37fb82a784c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cce3965795937eb00d13a2b48e8060ffb2ab2c972ede6014e559a37fb82a784c.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 2524⤵
- Program crash
PID:2556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 6083⤵
- Program crash
PID:3392
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1264 -ip 12641⤵PID:4272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5096 -ip 50961⤵PID:2452
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD5385ebb123969c34ffd01be9af09fa85b
SHA1b02bf370f22739e500ba56e7b62d0006ca5cf42d
SHA25674a9b2721ccd34b89f5c4e5dc8683ff520e32918c3459080282f2c52c0458919
SHA512cb34932038568d508e8fbb7d7fb2ef505f63b5fff56625e36a929ebad045d9c166bda732c39876803b3311d15af7c5cc378fd0a7cccb1b60fdae1e094a59fb65
-
Filesize
179KB
MD5385ebb123969c34ffd01be9af09fa85b
SHA1b02bf370f22739e500ba56e7b62d0006ca5cf42d
SHA25674a9b2721ccd34b89f5c4e5dc8683ff520e32918c3459080282f2c52c0458919
SHA512cb34932038568d508e8fbb7d7fb2ef505f63b5fff56625e36a929ebad045d9c166bda732c39876803b3311d15af7c5cc378fd0a7cccb1b60fdae1e094a59fb65