Analysis
-
max time kernel
96s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 10:18
Behavioral task
behavioral1
Sample
301d3a3cb2decffad3f3e850e0cb8907d690859fd091fe7c1c067e3e113376f0.dll
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
General
-
Target
301d3a3cb2decffad3f3e850e0cb8907d690859fd091fe7c1c067e3e113376f0.dll
-
Size
783KB
-
MD5
1bae4df56f24a52942b126eb420126a1
-
SHA1
434401c158bd65e907b8babf3f6df0130ab6c7cc
-
SHA256
301d3a3cb2decffad3f3e850e0cb8907d690859fd091fe7c1c067e3e113376f0
-
SHA512
a025b9691f5032eaba396524d46f5674df8eda08a10f193307dae7ffbb837e47d8e9a2842b5cbe627e6b5b2f3e06ff5675cf8079bb7f377b456c12d91ecfaabb
-
SSDEEP
24576:yOPEZOLsZdFEsAMjjnthhEMxJu7ez1Q7:n4Eep8YuGQ
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/748-56-0x0000000000970000-0x0000000000B2B000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 748 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1560 748 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 748 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 748 920 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\301d3a3cb2decffad3f3e850e0cb8907d690859fd091fe7c1c067e3e113376f0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\301d3a3cb2decffad3f3e850e0cb8907d690859fd091fe7c1c067e3e113376f0.dll,#12⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 4443⤵
- Program crash