Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 06:34
Static task
static1
Behavioral task
behavioral1
Sample
78aa8219eccfab8f69b7131e1402d9684a4385e6f0d84430454f1514e2a0e90b.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
78aa8219eccfab8f69b7131e1402d9684a4385e6f0d84430454f1514e2a0e90b.dll
Resource
win10v2004-20220812-en
General
-
Target
78aa8219eccfab8f69b7131e1402d9684a4385e6f0d84430454f1514e2a0e90b.dll
-
Size
787KB
-
MD5
b1158f2e5e67732a887084d236065cf0
-
SHA1
4aceb3a5a32197f1baf25dfcc2bd2bc4bd208d6d
-
SHA256
78aa8219eccfab8f69b7131e1402d9684a4385e6f0d84430454f1514e2a0e90b
-
SHA512
fa2c2a86354776320c04b3109079a913c13134827a8b74300ba0181bb1c23440663c077e1816f7758eaaed767081db8b891cd681fb1049789ef550d65c4afc3c
-
SSDEEP
24576:Qzb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPXjZW:QzbKsUmjtcdPGgIwPXY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 1460 rundll32mgr.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32mgr.exe upx C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral2/memory/1460-137-0x0000000000400000-0x0000000000461000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2012 1460 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1388 wrote to memory of 3548 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 3548 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 3548 1388 rundll32.exe rundll32.exe PID 3548 wrote to memory of 1460 3548 rundll32.exe rundll32mgr.exe PID 3548 wrote to memory of 1460 3548 rundll32.exe rundll32mgr.exe PID 3548 wrote to memory of 1460 3548 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78aa8219eccfab8f69b7131e1402d9684a4385e6f0d84430454f1514e2a0e90b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78aa8219eccfab8f69b7131e1402d9684a4385e6f0d84430454f1514e2a0e90b.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 2604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1460 -ip 14601⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
129KB
MD50344a3aa574e9d0e0f5593ed1b4cb88b
SHA1951fe2b0b4678199676e71838d91dddf762fa79d
SHA25693f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded
SHA51231e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
129KB
MD50344a3aa574e9d0e0f5593ed1b4cb88b
SHA1951fe2b0b4678199676e71838d91dddf762fa79d
SHA25693f2949add56ea8f8f063c3b313ee701f57a208021fafbe6aac3e9a43a6f3ded
SHA51231e4f5a15a7d15938cbd80638230ddb2cc3acd5060d99b4ea061fe1f186e6165755f2724c5bfe7b509a42e4a4612c95920f14d509a3f8c7b68b19e994fa7afdc
-
memory/1460-133-0x0000000000000000-mapping.dmp
-
memory/1460-137-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/3548-132-0x0000000000000000-mapping.dmp
-
memory/3548-136-0x0000000005000000-0x00000000050CA000-memory.dmpFilesize
808KB