Analysis
-
max time kernel
190s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 19:47
Behavioral task
behavioral1
Sample
c06951ac98e587108543cbf20046700efe80d257a5b34205622ad8bd2049adfc.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c06951ac98e587108543cbf20046700efe80d257a5b34205622ad8bd2049adfc.dll
Resource
win10v2004-20221111-en
General
-
Target
c06951ac98e587108543cbf20046700efe80d257a5b34205622ad8bd2049adfc.dll
-
Size
3.7MB
-
MD5
4668d4fcd04969101d04962e32a704fe
-
SHA1
a5521b12c834b5c1f3bf9dd84799cb95d6c17a51
-
SHA256
c06951ac98e587108543cbf20046700efe80d257a5b34205622ad8bd2049adfc
-
SHA512
221ae63eac60bce41e179d1407b58a43c437803e5764a08379bd2f8b63df5ec367c3d91e1ea6f57fd0d9d85a7b64206dc229ac7efb58c4a3aa550aaee3d944ef
-
SSDEEP
49152:Ta1PGtlqJIU6irgk0FtF8Eing5BIxCoj0QUTIwEnVPPqpGx9Tlz:+W+8HIxCoj0QUTIwkcpGx
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 40 1752 rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/1752-132-0x0000000180000000-0x00000001803B7000-memory.dmp vmprotect behavioral2/memory/1752-133-0x0000000180000000-0x00000001803B7000-memory.dmp vmprotect behavioral2/memory/1752-134-0x0000000180000000-0x00000001803B7000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1752 rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\BB0A\ rundll32.exe File created C:\Windows\BB0A\BB0A.txt rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 828 1752 WerFault.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c06951ac98e587108543cbf20046700efe80d257a5b34205622ad8bd2049adfc.dll,#11⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1752 -s 9642⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 1752 -ip 17521⤵